Keith

@kwm

Regarding NTIA Collaboration on Vulnerability Research Disclosure http://www.ntia.doc.gov/blog/2015/enhancing-digital-economy-through-collaboration-vulnerability-research-disclosure . . . unsure what problem this aims to solve.

7/13/2015, 1:41:04 PM

Favs: 0

Retweets: 0

Keith

@kwm

I don't believe that there's any relevant issue with respect to vuln disclosure. Vulns that are discovered are hoarded, sold or disclosed.

7/13/2015, 1:41:52 PM

Favs: 0

Retweets: 0

Keith

@kwm

A "consensus-based multistakeholder process" isn't going to change if/when vulnerability disclosure occurs.

7/13/2015, 1:42:06 PM

Favs: 0

Retweets: 0

Keith

@kwm

Assuming that the intent is to steer/mandate action following disclosure, I'm not optimistic about impact.

7/13/2015, 1:42:23 PM

Favs: 0

Retweets: 0

Keith

@kwm

Vulnerability management is an inherently agency-specific function, and requires deep understanding of exposure, cost, etc.

7/13/2015, 1:42:44 PM

Favs: 0

Retweets: 0

Keith

@kwm

Thus, *good* vuln management implies that near-field leadership have an understanding of risk. Then need vision+ability to steer response.

7/13/2015, 1:42:56 PM

Favs: 0

Retweets: 0

Keith

@kwm

DoD/IC may have leadership capable of leading these efforts. Maybe have them dictate process to OGA? Problem is that OGAs aren't equipped.

7/13/2015, 1:43:08 PM

Favs: 0

Retweets: 0

Keith

@kwm

Solution? Any agency w/ local IT/sec policy must have strong, capable security leadership able to interpret policy relative to own risk.

7/13/2015, 1:43:19 PM

Favs: 0

Retweets: 0