Security researcher Max van der Horst will come to Leiden Law School to give a session on Coordinated Vulnerability Disclosure as part of the series for the 2023-2024 class of the Adv. LLM on Law and Digital Technologies. The session is entitled “Ethical Vulnerability Mass-Exploitation 101: Theory and Practice".

Bio

Max van der Horst is a security researcher at the Dutch Institute for Vulnerability Disclosure and Thales Advanced Development Systems. He has a background in Cyber Threat and Vulnerability Intelligence, Geopolitics, Information Security Management and Digital Forensics with an MSc in Security and Network Engineering. At the Dutch Institute for Vulnerability Disclosure, he co-leads the Computer Security Incident Response Team (CSIRT) consisting of 14 security professionals and is a part of the CVE Numbering Authority (CNA) team, where he evaluates and registers new zero-day vulnerabilities for global communication. 

Session

Coordinated Vulnerability Disclosure involves the hacking of computer systems with the intent of disclosing any found vulnerabilities to the developer and/or owner of that system. Over the years, this principle has been subject to public scrutiny and discussion, with relevant jurisprudence as a result. The Dutch Institute for Vulnerability Disclosure (DIVD) is a non-profit organisation known for adapting to this jurisprudence with a Code of Conduct in order to perform global-scale Coordinated Vulnerability Disclosure on thousands of systems at the same time. It does so by scanning for vulnerabilities on all IP-addresses, verifying the vulnerability and contacting the owners of the found systems. 

This session takes along the audience in the practical application of DIVD’s Code of Conduct. It answers questions such as why this behaviour is considered ethical and what considerations come with this requirement, why the principles of societal need, proportionality and subsidiarity are considered central elements to responsible hacking and how this translates to technical practice. The audience will be taken along in a set of case studies, after which they get the opportunity to reconstruct a past investigation using Open-Source Intelligence (OSINT). At the end of the workshop, attendees will have both the theoretical underpinnings and hands-on experience to understand one of hacker culture’s most important topics of the past decade.

Additional preparation for this session can be done by reading section 4.1 of this paper.

This session is part of the TechTrends Workshops of the Advanced Master Law and Digital Technologies, but it is also open to others who are interested. If you plan to attend, please let us know via elaw@law.leidenuniv.nl.