FZI Live
KA-IT-Si Event "Rogue, thou hast liv'd too long."
Guide to confidently handling vulnerability reports. Or: “Don't ignore the messenger.”
In 2025, over 45,000 new vulnerabilities were discovered, some of them by independent security researchers. How should companies respond to vulnerability reports?
The trend toward vulnerability reporting has prompted various legislative and standardization bodies to take action. For example, the Cyber Resilience Act (CRA) and NIS-2 require companies to address vulnerabilities actively. In addition, more and more companies are establishing their own bug bounty programs, which are to be welcomed in terms of digital sovereignty but also present challenges. Despite these positive developments, security researchers often still face major hurdles in reporting vulnerabilities in practice.
Lecture: Guidance on confidently handling vulnerability reports by Dr. Matthias Schmidt (in German)
In his presentation, Dr. Matthias Schmidt (aramido) uses a real-life case to illustrate ways of dealing with vulnerability reports.
A student discovers a critical vulnerability in a piece of software. Should they publish the vulnerability via full disclosure or enter into a coordinated disclosure process? The company must assess how to respond to the report, fix the vulnerability, and communicate about it. For example, should the researcher be sued or receive a bug bounty?
Following the presentation, you will have the opportunity to exchange ideas at the “buffet networking” event.
Registration info
The cost is €36 per person (plus VAT), or €18 (plus VAT) for members of the CyberForum or IT Security Club.
Employees of KA-IT-Si partners and supporters, as well as students at KIT, can attend for free.
