discussion

This discussion session has two parts:

• Vulnerability Disclosure: What are the legal and ethical issues  governing the disclosure of a vulnerability by an independent technical  person (e.g., cyber researcher). See this paper: https://www.eff.org/issues/coders/vulnerability-reporting-faq.  What are the legal obligation of the government if they come to know  about a vulnerability? Can they corner the vulnerability market and  exploit a vulnerability against an adversary. See this paper Dorothy  Denning: https://learn.umuc.edu/content/enforced/111374-022073-01-2158-GO1-9040/DDenning.pdf?_&d2lSessionVal=hDspQFvvJP69gBZD9LTeVUUTl. 
• Attack Disclosure: What are the legal obligations (as well as  protection for sharing) of companies about attacks on their systems and  possible future attacks and vulnerabilities? Who should they disclose  to: government, users of their systems who were affected by the breach  and investors? See   
  • https://www.davispolk.com/sites/default/files/agesser.Cybersecurity.Law_.Report.aug15.pdf
  • https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/
  • http://insurancethoughtleadership.com/cybersecurity-five-tips-on-disclosure-requirements/
  • http://www.wsj.com/articles/should-companies-be-required-to-share-information-about-cyberattacks-1463968801