While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

1. “The Current and Future of Coordinated
Vulnerability Disclosure”
International Panel Discussion
(JPN) Hiroyuki Itabashi (Information Promotion Agency)
(EU) Lorenzo Pupillo, PhD (Associate Senior Research Fellow -
GRID Unit, Head of the Cybersecurity@CEPS Initiative)
(US) Allan Friedman, PhD (Senior Advisor and Strategist,
Cybersecurity & Infrastructure Security Agency)
Moderator, Ikuo Takahashi (Komazawa Legal Chambers)

2. Vulnerabilities
• By Definition
• Per Japan Early Warning Partnership
• “A security weakness where the functionality or performance can be impacted by
an attack such as computer viruses or unauthorized computer access”
• Per ISO/IEC 27000:2009, 2.46, modified
• “weakness of software, hardware, or online service that can be exploited”
• Importance at present
• Opportunity for Cyber Threats, e.g. ”Fuel for attacks”
• Opportunity for whom
• Cyber criminals/State-sponsored attack
• Governments, Attacker/Defender

3. Coordinated Vulnerability Disclosure
Full disclosure
• Malicious attackers already know
about a vulnerability, so it is best if
everyone knows their techniques.
• Vendors cannot hide bugs about
vulnerabilities once they are publicly
disclosed.
• Disclosure of vulnerability information
is necessary to create a better system
in the future.
• We should regard the concept that the
vulnerability information is the
property of the discoverer as positive
one.
Responsible disclosure
• Most vulnerabilities are
investigated with the motivation of
the disclosure itself.
• E.g. as a demonstration of one's
competence instead of for the
purpose of eliminating the
vulnerability
• There can be other ways to
effectively disclose vulnerabilities.
• Creating an improved system does
not require providing detailed
vulnerability information or testing.

4. Coordinated Vulnerability Disclosure
Per Region
JAPAN EU US
Present • Early Warning
Partnership (2004~)
• PSIRT awareness-raising
activities
• Active mediation
function of state
agencies
• Coordinated Vulnerability
Disclosure Policies.
• Mixed responses from
country to country
• Examples: advanced
Belgium, Netherlands,
France
• Legal cases (~2010) toward
protection of researchers
• Government activities
• FTC (Federal Trade Commission)
and regulators in IoT
• Cooperation between researchers
and vendors
• Leverage by law enforcement
agencies
International
trends
• Closer relationships between National Security and Cybersecurity
• Bug bounty programs
• Formalized Standards
• ISO/IEC 29147:2018120 Information technology -- Security techniques -- Vulnerability disclosure
• ISO/IEC 30111:2013 Information technology -- Security techniques -- Vulnerability handling
processes
• RFC9116 File Format for Security Vulnerability Disclosure Support