TALK: Best of the Worst: Misadventures in Bug Disclosure

Dustin Childs

ABSTRACT

Founded by TippingPoint in 2005, the Zero Day Initiative (ZDI) program rewards security researchers for responsibly disclosing vulnerabilities. Since that time, the ZDI has grown to be the world's largest vendor-agnostic bug bounty program. Being vendor agnostic means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc... We don't buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan.

This talk looks at some of the best of the worst examples of disclosing bugs to vendors. Disclosing bugs can get contentious. It can also be confusing when a vendor doesn't have a mature response process. Some reports are frustrating. Some reports are comical. And some are absolutely wild. All of them resulted in face palms at multiple levels. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can.

📵
Unrecorded, unfiltered, and unbelievably hilarious—this behind-closed-doors bug disclosure talk is one you’ll only hear here.

Dustin C. Childs

Head of Threat Awareness, Trend Micro Zero Day Initiative

Dustin C. Childs is a part of Trend Micro’s Zero Day Initiative (ZDI), which is the world’s largest vendor-agnostic bug bounty program. Dustin began his infosec journey in the late 1990s at the Air Force Information Warfare Center. Following his time working for the government, Mr. Childs worked in the Microsoft Trustworthy Computing group, where he served as a case manager in the Microsoft Security Response Center (MSRC) with a focus on addressing vulnerabilities in the Windows operating system and in Microsoft’s developer tools. In his current role, Mr. Childs gathers and analyzes threat intelligence from various Trend Micro and open-source resources to understand and communicate risk to enterprises. He also creates, implements, and oversees internal and external communications programs that promote the work of Trend ZDI and its researchers. He has spoken at multiple conferences including Black Hat USA, ThotCon, BlueHat, B-Sides, and multiple ISSA events.

BOOK NOW

MORE FROM RINGZER0 COUNTERMEASURE25

Ringzer0 COUNTERMEASURE
COUNTERMEASURE25

Ringzer0 COUNTERMEASURE

Ringzer0 brings the best of offence and defense back to Canada’s capital in 2025. World-class trainers, internationally recognized speakers, cutting edge security research, government focus, community. Nov 3 – 7, Ottawa, Canada.
READ MORE
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated