Session

The Art of Vulnerability Disclosure

Properly disclosing a vulnerability you found on a website, open source project, or app is not an easy task, especially not the first time. There are a lot of things to pay attention to and that can go wrong. But if done properly, it can be very rewarding, as most companies are very grateful. Whether you want to learn how to disclose your first vulnerability in the easiest way possible, or you want to hear about best practices and suggestions on what to do when things do not go as planned, this talk is for you.

While most vulnerability disclosures go smoothly, I've learned through experience—especially with my last disclosure—that things can get tricky when a company ignores your attempts to report a problem. I've found that some important steps aren't covered in most guides, and I’ve picked up tips that are rarely mentioned but really helpful. In this talk, I want to share those insights and make the whole process less intimidating for people who are new to it. I believe understanding how to disclose vulnerabilities properly can help more people get involved in improving security.

My responsibly disclosed CVE's:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1000529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36460

Slides: https://github.com/martinfrancois/devnexus-2024/blob/main/Devnexus_2024-The_Art_of_Vulnerability_Disclosure.pdf

François Martin

Senior Full Stack Software Engineer at Karakun

Brugg, Switzerland

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top