09-17, 11:55–12:15 (Europe/Brussels), Main Room
Summary
In an era where cloud services form the backbone of our digital infrastructure, uncovering cloud vulnerabilities and ensuring their responsible disclosure is paramount. This session will explore key aspects of responsibly disclosing security research findings in cloud environments. Topics include the research process, how researchers approach cloud services, addressing Coordinated Vulnerability Disclosure (CVD), embargo periods, strategies for customer protection, and real-world examples.
https://aws.amazon.com/security/vulnerability-reporting/
Outline:
- How does a security researcher approach cloud services
- Coordinated Vulnerability Disclosure (CVD)
- A vulnerability has been identified. What's next?
- AWS workflow
- Real world examples
- What are Embargo periods?
- What is Public disclosure?
- Where to Report?
Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security.