Properly disclosing a vulnerability you find on a website, open-source project, or app is not an easy task, especially not the first time. There are many things to pay attention to, and that can go wrong. But if done properly, it can be very rewarding, as most companies are very grateful. Whether you want to learn how to disclose your first vulnerability in the easiest way possible or you want to hear about best practices and suggestions on what to do when things do not go as planned, this talk is for you.

While most vulnerability disclosures go smoothly, I've learned through experience - especially with my last disclosure - that things can get tricky when a company ignores your attempts to report a problem. I've found that some important steps aren't covered in most guides, and I've picked up tips that are rarely mentioned but really helpful. In this talk, I aim to share those insights and make the entire process less intimidating for those new to it. I believe understanding how to disclose vulnerabilities properly can help more people get involved in improving security.

My responsibly disclosed CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1000529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36460

Slides: https://github.com/martinfrancois/devnexus-2024/blob/main/Devnexus_2024-The_Art_of_Vulnerability_Disclosure.pdf