Aperture Podcast: ZDI’s Dustin Childs on the Evolution of Vulnerability Disclosure
By Michael Mimoso | Claroty Editorial Director
Discussions about vulnerability disclosure don’t elicit the dread and groans they may have 15 years ago, largely because the discipline has matured and many organizations have a firm handle on vulnerability management, patch prioritization, and the need for secure software development.
In this first episode of Claroty’s new podcast, Aperture, Dustin Childs, communications manager of the Zero Day Initiative (ZDI) talks to Editorial Director Michael Mimoso about the changing face of vulnerability disclosure, and how the security industry has provided a safe space for most researchers to look for bugs and also earn financial compensation.
Childs explains some of this history through ZDI’s lens—ZDI turned 15 this year—and from a 20-plus year in information security that includes stints with Microsoft and HP. He talks about a number of pertinent issues, including the role of contests such as ZDI’s Pwn2Own events, and the bug bounty industry in putting researchers in front of vendors with a common goal of getting critical security issues fixed.
“Any time you can get people who are making software together with independent security researchers, combine those things, you can collaborate, find the bugs, fix the bugs. That’s going to be better than letting an adversary or attacker, someone who is going to find the bug eventually,” Childs said. “It’s better that the good guys find them and fix them than otherwise.”
This extensive conversation also covers how research into industrial control system vulnerabilities is becoming more mainstream, and how January’s Pwn2Own contest held in parallel with the annual S4x20 conference in Miami was a watershed moment. ZDI, Childs said, worked on an ICS- and SCADA-centric Pwn2Own for some time, partnering with organizations such as Rockwell Automation and Schneider Electric to understand the space and what attackers may be targeting.