Jennifer Fernick
Jennifer Fernick is a computer scientist and the SVP & Global Head of Research at NCC Group, a major information assurance firm, and is a founding Governing Board and Technical Advisory Committee member of the Open Source Security Foundation. Most recently, she was Director, Information Security at a large global financial institution, after a tenure as their Senior Cryptographic Security Architect. She spent four years as a PhD researcher at the University of Waterloo, as a member of the Institute for Quantum Computing and the Centre for Applied Cryptographic Research, where her research focused on cryptography & quantum algorithms. Jennifer was a part of the 2018 cohort of the Berkman Assembly at Harvard University and MIT Media Lab, and was a 2019 Technologist Fellow at the National Security Institute at George Mason University. Her career has included designing and building satellite systems, working on bleeding edge cryptography research, building secure systems at massive scale, running incident response events for core pieces of critical infrastructure, and leading the development of global technology standards. She holds a Master of Engineering degree in Systems Design Engineering from the University of Waterloo, and an Honours Bachelor of Science in Cognitive Science & Artificial Intelligence from the University of Toronto. Jennifer spent multiple years as CFP Chair of Crypto & Privacy Village at DEF CON, and has served on the review boards of venues including USENIX CSET, USENIX Enigma, USENIX WOOT, multiple NeurIPS workshops, and IEICE Transactions Japan, and regularly speaks at major technology conferences including the Linux Foundation Member Summit, the European Conference on Machine Learning, RSA, CFI-CIRT, DEF CON, O'Reilly Artificial Intelligence, and Black Hat USA.
Session
Open source software is incredibly powerful - and while that power is often used for good, it can be weaponized when open-source projects contain software security flaws that attackers can use to compromise those systems, or even the entire software supply chains that those systems are a part of. The Open Source Security Foundation is an open, cross-industry group aimed at improving the security of the open source ecosystem. In this presentation, members of the OpenSSF Vulnerability Disclosure working group will be sharing with open-source maintainers advice on how to handle when researchers disclose vulnerabilities in your project’s codebase - and we’ll also take any questions you have about this often mysterious topic!
Part 1 of this presentation will give an overview of the basics of Coordinated Vulnerability Disclosure (CVD) for open-source software maintainers, including some basics about security vulnerabilities, how to communicate securely and write patches without leaking vulnerability information, what you can expect during a disclosure with a researcher, and how to handle challenging scenarios like when you can’t patch, when a vulnerability is already being exploited by a threat actor in the wild, or when a vulnerability impacts many downstream dependencies.
Part 2 of this presentation will include a discussion about vulnerability disclosure best practices, pitfalls, and challenges. We will also welcome questions from the audience - ask us anything about dealing with vulnerabilities in open source!