2022-07-25, 19:00–19:50, Abacus 🧮
The Dutch Institute for Vulnerability Disclosure scans the internet for vulnerabilities and reports these to the people who can fix them. Our researchers will go into some of our recent cases, our board members will describe how we professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy.
The Dutch Institute for Vulnerability Disclosure scans the internet from our own AS (50.559) for vulnerabilities and reports these to the people who can fix them. In this session our board members will describe how we professionalise vulnerability disclosure with an independent foundation, a Code of Conduct, a common identity, a collaboration platform for independent researchers and a CSIRT to report vulnerabilities to owners of vulnerable systems.
Our researchers will go into some of our more known cases, ranging from Citrix 2020, to KaseyaVSA and Log4j in 2021 and others which commenced between filing this proposal and the conference. They will demonstrate how to scan, validate data, report to users and how they responded.
By doing this, we kind of break several laws on computer crime and privacy protection. Still, we are allowed to as we serve to make the internet more secure. Moreover, we also guide young security researchers to the responsible path of vulnerability disclosure. And we do it Dutch style: open, direct and for free.
Chris and Astrid will go into the way we work, Frank and Lennaert will do the cases.
Chris van ’t Hof is the Director of the Dutch Institute for Vulnerability Disclosure a hacker collective that helps to clean up the internet for free. DIVD scans the internet for vulnerabilities and report these to the ones that can fix it. Chris is also an independent researcher, writer and presenter in information technology. With his background in both electrical engineering and sociology, he analyses the interaction between human and electronic networks. His eight book: “Helpful Hackers. How the Dutch do Responsible Disclosure.” During MCH, Chris is Team Lead Music, arranging the bands. See for the program Stage Music.
Astrid Oosenbrug started as sysadmin 20+ years ago, but has mostly been politically active since, as Member of Parliament (2012-2017), Public Affairs officer ESET.nl and in numerous NGO's. She was critical of the invasion of privacy by new investigative legislation and has championed the introduction of Responsible Disclosure Policy within the Dutch government, she is co-founder and chair of DIVD.nl (Dutch Institute for Vulnerability Disclosure) and co-founder DIVD.academy, where she is foster parent to many young hackers.
Frank is a many of many hats, luckly they are all some shade of white.
His day job is being a CISO for Schuberg Philis an IT Services company that caters for business and sociaty critical systems.
Besides that he is an early and active member of the DIVD, and currently the CSIRT and crisis manager.
He is also the secretary of the Dutch Security Information Clearing house (Het Nederlands Seurity meldpunt)
In his psare time (if any) he is a dad, has a farm, dogs, chickens, fish and horses and occasionally folds balloons.
As a Security Analyst with Zerocopter, Lennaert is identifying and validating many different vulnerabilities and security issues on a daily basis. Also, as an accomplished hacker, he has found vulnerabilities on behalf of several large organizations including the Dutch government! In addition to his professional exploits, he also reports vulnerabilities "on the side" in his role as a volunteer with the Dutch Institute for Vulnerability Disclosure (DIVD). At DIVD, Lennaert has worked a number of notable cases, including some that made international headlines, such as the big July 2021 ransomware incident involving Kaseya.