LASCON 2017 has ended
View analytic
Friday, October 27 • 12:00pm - 1:00pm
The Role of Empathy in Vulnerability Disclosure Practices for Software Vendors

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.

There are guides and templates for how to write a security advisory and handle inbound vulnerability reports, but the act of disclosing a vulnerability existed in your software is much more than filling in the blanks and working through a process map.  Vulnerability disclosure also involves many stakeholders beyond one's security team.  Decisions around how to share information, an understanding of your intended audience, and the support provided to impacted customers are critical components that can be represented in process but are also driven by an expression of what that team values.  The word “empathy” does not appear in ISO 29147 - but it plays a key role in this process, and the right response can preserve or build trust while a tone-deaf disclosure can destroy it.


In this talk, we’ll walk through a product security advisory and detail how we brought together a cross-functional team and why we made various decisions based on process and an understanding of the needs of customers.  We’ll share what went well, what we learned, and suggestions for future consideration related to security advisories and response practices.

avatar for Adam Goodman

Adam Goodman

Principal Security Architect, Duo Security
Adam is Principal Security Architect at Duo Security, and has been responsible for leading various aspects of Duo's security engineering practice since 2010. He has spent well over a decade building secure systems, protocols, and culture (and occasionally veering into security research... Read More →

Friday October 27, 2017 12:00pm - 1:00pm
Security Innovation Room

Attendees (16)