VDP in Aviation How it shouldn't be done!
Matt Gaffney
DEF CON 33 (backfill) · Day 1 · Main Stage
Matt Gaffney, known as "gaffers," delivers a candid and critical assessment of **Vulnerability Disclosure Programs (VDPs)** within the aviation sector, highlighting pervasive failures and offering pragmatic advice for both researchers and disclosure recipients. This talk, born from Gaffney's personal and often frustrating experiences in aviation security research, serves as a stark warning and a call to action for an industry grappling with expanding attack surfaces and slow-moving change. Gaffney underscores that while aviation's safety-critical nature demands rigorous security, the current VDP landscape is frequently dysfunctional, characterized by stonewalling, dismissal of legitimate findings, and a dangerous reliance on **security by obscurity**.
AI review
Gaffney brings genuine domain credibility and real war stories to a topic the aviation security community actually needs to hear — VDP dysfunction in a safety-critical, glacially-paced industry. The talk is honest, practitioner-grounded, and delivers actionable guidance for both sides of a disclosure. It won't teach a technical researcher anything new about exploitation, but that's not what it's trying to do.