One may think that handling a security vulnerability is just about the fix, but do not be fooled. The journey stretches from explaining how to properly submit findings through the entire correction process, down to providing a security release/patch and extending to post-release follow-up.
Scenario: You receive what looks like a serious vulnerability report. That vulnerability highlights the fact your whole application has an architectural flaw. Moreover, it is bound to a 30-days disclosure deadline. Welcome to reality. Adding a tad of fatality, you think that you may just be a step away from having a 0-day on Twitter.
Building on our experience managing the security of a popular open source project (Jenkins) as well as the internal security processes of all our commercial portfolio, we will present challenges we encountered and solutions that let us sleep.
Scheduled on Tuesday from 15:10 to 15:55 in Room 8