Security Conferences Keep Us Honest

• Cyber Risk
• Commentary

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Security Conferences Keep Us Honest

Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public disclosure.

Michael Bargury, CTO & Co-Founder, Zenity

September 18, 2023

4 Min Read

Source: PG Arphexad via Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

In August on a stage at Black Hat USA, I described in detail how Microsoft guest accounts could gain access to view and manipulate sensitive corporate data, including SQL servers and Azure resources. On top of that, I showed how Power Platform could be leveraged by a hacker to create internal phishing applications that automatically authenticate their victims and create a backdoor that persists even if the hacked user is deleted. These are still open issues today, as mitigation falls in the customer’s side of the shared responsibility model — meaning every Microsoft customer would have to monitor and harden their own environments to mitigate these security holes.

Preparing for the talk, I thought long and hard about what information to share, well aware of the double-edged sword that security research can be. How can I share enough to raise awareness and drive people to action while not making the problem worse by putting it on hackers’ radar? After considering that we’ve already observed all of these issues being exploited in the wild, I decided to share the information; it was important that we leveled the playing field and gave security teams the knowledge and tools they need to keep their organizations secure.

This security researcher’s dilemma is not new, and I’m definitely not the first or only one to have to deal with it. I could point to a fewotherresearchers who were in a similar position, where they could either remain silent or educate everyone about an unsolved security issue.

The Bad Ol’ Days

Gone are the days when security researchers used to drop zero-day vulnerabilities on the Black Hat or DEF CON stages. That is, of course, a very good thing — although we did lose something as a security community (but more on that later). In conjunction, most vendors realize that security researchers are acting to keep them honest and improve the security state of the entire community. As cybersecurity executive Kymberlee Price put it in a recent interview with Ryan Naraine, just because security researchers are publishing vulnerabilities, it doesn’t make them the enemy; if they were the bad guys, they would be using the vulnerability — they wouldn’t tell you about them at all.

Admittedly, we do still get zero-day drops now and again, with the pain of recent example Log4Shell being a fresh memory. But it feels like the average researcher, especially one who works for a respectable security vendor or consultancy, goes the vulnerability disclosure route first.

It is important to remember why people are sharing this information publicly. It is because they don’t feel like they can get the vendor to fix the problem within a reasonable time frame. In the bad ol’ days, security researchers essentially lit fires that forced vendors to fix things right away.

Where We Are Today

We’re mostly in a whole different ballpark today. Most security researchers I know engage with the vendor, wait around for a reply, and then wait some more before they go out and expose things publicly.

It is important to notice the balance of power here. As a researcher, you typically find yourself facing a giant enterprise with endless resources, a strong media presence, and a whole bunch of lawyers. In many cases, you can get the feeling that those endless resources are used to avoid a PR crisis and nullify the issue rather than face it and actually make customers more secure. While some organizations do help researchers through those challenges, it always feels like David vs. Goliath.

The main issue with responsible disclosure, coordinated disclosure, and the popular vulnerability disclosure platforms today is that they put all of the decision at the sole discretion of the organization whose vulnerability is being reported, without any transparency. Sure, we have the CVE system. But issuing those is mostly at the vendor’s discretion. For the cloud services we all rely on today, the situation is even worse, with many vendors refusing to issue a CVE and having no transparency for security issues discovered and fixed on their services.

Keeping Ourselves Honest

We’ve long known that discussing problems out in the open is the best way to push ourselves to do the right thing. We seem to rediscover this fact again and again in different contexts, be it developing open source software, challenging security by obscurity, or launching initiatives for open government. In today’s state of vulnerability disclosure, many feel the pendulum has swung too much to one side, pushing vendors to make choices that minimize short-term visibility concerns at the cost of long-term customer trust and the security of the ecosystem.

Vendor security teams that receive vulnerability reports are doing incredible jobs trying to get their organizations to fix the issues and build strong relationships with researchers. But they too need help. Creating urgency to fix an issue is difficult when the organization feels they control the situation, even while their customers might be at risk.

Security conferences are where security researchers can help vendors make the right choices. They provide a tiny stick a security researcher can poke the vendor with, in hopes of spurring them into action. Information is put out there for the entire community to see and decide whether they accept the current state of things. In public.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Cyber Risk

How CISOs Can Effectively Communicate Cyber-Risk

Cyber Risk

Ransomware Gangs Pummel Southeast Asia

Cyber Risk

India’s Critical Infrastructure Suffers Spike in Cyberattacks

Cyber Risk

NIST Hands Off Post-Quantum Cryptography Work to Cyber Teams

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

• Women Who ‘Hacked the Status Quo’ Aim to Inspire Cybersecurity Careers Jul 16, 2025 |

5 Min Read

• AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |

5 Min Read

• Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |

6 Min Read

• Unlock Security Operations Success With Data Analysis Jul 8, 2025 |

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link