Kathleen Noble (Intel, US), Tanvi Chopra (Venable, US), Rob Spiger (Microsofy, US), Michael Woolslayer (HackerOne, US)
Katie Noble serves as a CVE Program Board, Bug Bounty Community of Interest Board, and Hacking Policy Council member. She is a passionate defensive cybersecurity community activist, she is regularly involved is community driven projects and is most happy when she is able to effect positive progress in cyber defense. In her day job Katie Noble serves as a Director of PSIRT, Bug Bounty, and the Security Working Artifacts Team at a fortune 50 Technology Company. Prior to joining private sector, Katie spent over 15 years in the US Government. Most recently as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cybersecurity vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia.
Michael Woolslayer is Policy Counsel at HackerOne, where he supports public policy efforts and legal matters. Michael previously was one of HackerOne's first customer success managers, which included managing the Hack the Pentagon bug bounty pilot program. Michael’s additional prior experience includes practicing technology, security, and privacy law at Perkins Coie LLP and various roles with defense technology start-ups.
Rob Spiger works on cybersecurity policy at Microsoft, specializing in cyber resilience, security by design, and regulatory harmonization. He is an industry security expert with a background in trusted computing technology and standards development. He collaborates with global technologists from industry, government and academic institutions who are devoted to advancing security policy, technology, research, and innovation. He joined Microsoft in 2003 and prior to 2012 he was responsible for technical program management of Windows security features as a part of the security and identity team. He holds degrees in computer science with honors and electrical engineering from the University of Washington.
Tanvi Chopra is a Senior Cybersecurity Analyst at Venable LLP, specializing in providing clients with guidance on cybersecurity and data protection policies, laws, regulations, and compliance matters across various jurisdictions, including the EU, UK, and the U.S. With a keen focus on policy development, Tanvi actively engages in addressing critical cybersecurity issues including in the areas of vulnerability disclosure, incident reporting, data and product security, Open RAN, workforce, and much more.
Leveraging her comprehensive understanding of cybersecurity trends and challenges, Tanvi delivers newsletters, white papers, op-eds, letters, and research reports to cybersecurity trade associations, private companies, and governments. Her efforts aim to foster collaboration within the cybersecurity ecosystem and elevate global awareness of cybersecurity issues.
Prior to joining Venable, Tanvi served as an intern at an international law firm, where she worked on matters related to national security and cybersecurity policy.
---
Should your organization be required to disclose vulnerabilities before you’ve had a chance to fix them? Governments have begun embracing the concept of vulnerability disclosure, but are co-opting the process and creating new risks to security.
This panel will discuss a concerning regulatory trend of requiring organizations to disclose unmitigated vulnerability to government agencies. This trend includes major cybersecurity regulations that affect many parts of the security ecosystem, such as the EU Cyber Resilience Act, FISMA modernization legislation, France’s Military Programming law, and China’s Regulation on the Management of Network Product Security Vulnerabilities. This discussion will outline the security implications of requiring the disclosure of unmitigated vulnerabilities to government agencies, including the risk of alerting adversaries, vulnerabilities potentially being used for state intelligence or offensive purposes, creating a dangerous precedent for other countries to follow suit, and deterring good faith security research. Finally, the panel will then recommend safeguards for companies and policymakers to adopt and ensure cybersecurity best practices.
8 май 2024
