LocoMocoSec: Hawai'i Product Security Conference

The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS.  OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure).  This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391).  We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.