Automated Responsible Disclosure of Security Vulnerabilities (original) (raw)
Related papers
Crime Science, 2018
In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in ITsystems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system's owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost-benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included.
Internet Security, Vulnerability Disclosure and Software Provision
2005
In this paper, we examine how software vulnerabilities affect firms that license software and consumers that purchase software. In particular, we model three decisions of the firm: (i) an upfront investment in the quality of the software to reduce potential vulnerabilities; (ii) a policy decision whether to announce vulnerabilities; and (iii) a price for the software. We also model two
14. Leveraging Interledger Technologies in IoT Security Risk Management
Security Risk Management for the Internet of Things: Technologies and Techniques for IoT Security, Privacy and Data Protection, 2020
There are security vulnerabilities in all technological systems but particularly in many Internet of Things (IoT) solutions. Responsible disclosure has been the established approach for the security community to deal with the discovered vulnerabilities, but this approach does not fare well in the modern fast-paced world and, in particular, in the low-cost, often highly constrained, long-expected usable lifetime, yet highly volatile IoT space. This chapter proposes a Distributed Ledger Technology (DLT) and interledger-based Automated Responsible Disclosure (ARD) solution that provides stronger incentives to the involved parties to address the vulnerabilities in a timely manner, better accountability of all parties, and, as a result, better security for the public at large. 1. Vendors are typically companies that aim to maximize their profits, which can be expressed as: revenue-expenses. 2. It is not possible for a vendor to generate significant extra revenue by improving the security of its products, since proving or measuring security of the product is practically impossible (it cannot be practically proved that a product is secure, only that it is insecure).
Computer Law & Security Review, 2017
Cybersecurity is an integral part of security. It plays a tremendous role in modern society. It encompasses technical, organizational and legislative measures created for the purpose of protecting and minimizing impacts from cyber incidents. Any software may contain bugs or security holes. Hackers frequently discover such flaws and, without vendor's consent, disclose step-by-step instructions about vulnerability to the public, disregarding the possible IT security risk. Many vendors already have introduced responsible disclosure policies or "bug bounty" programs. In 2013 the Netherlands launched the first state responsible disclosure Guidelines. Guidelines contain principles, definitions and organizational measures, necessary for responsible disclosure policy as a state policy. Latvia decided to draft Regulation on responsible disclosure procedure. In March 2016, the Ministry of Defence created a working group. The goal of the drafters was: 1) to prepare amendment to Law on the Security of Information Systems to create legislative framework for responsible vulnerability disclosure process; 2) to draft an amendment to Section 241 (3) of Criminal Law to create a guaranty against prosecution (waiver) for persons who act in accordance with responsible disclosure process. The paper provides an insight into this process, difficulties faced by drafters and presents provisional results of the legislative draft and lessons to be learnt.
Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure
Journal of Database Management, 2020
Cybercrime caused by exploited vulnerabilities bears a huge burden on societies. Most of these vulnerabilities are detectable, and the damage is preventable if software vendors and firms that deploy such software adopt right practices. Bug Bounty Programs (BBPs) by vendors and intermediaries are one of the most important creations in recent years, that helps software vendors to create marketplaces and to detect and prevent such exploits. This article develops the theory of BBPs and present a typology of BBPs using established theories of incentive compatibility and mechanism design. The authors empirically analyze the market creation function of BBPs using granular data from two different types of BBPs on a popular intermediary platform. The research findings suggest that BBPs are valuable opportunities to source vulnerabilities in software; nevertheless, the rate of disclosure and hacker participation marginally increases with vendor's rewards and other incentives. Similarly, t...
Better bug reporting with better privacy
2008
Software vendors collect bug reports from customers to improve the quality of their software. These reports should include the inputs that make the software fail, to enable vendors to reproduce the bug. However, vendors rarely include these inputs in reports because they may contain private user data. We describe a solution to this problem that provides software vendors with new input values that satisfy the conditions required to make the software follow the same execution path until it fails, but are otherwise unrelated with the original inputs. These new inputs allow vendors to reproduce the bug while revealing less private information than existing approaches. Additionally, we provide a mechanism to measure the amount of information revealed in an error report. This mechanism allows users to perform informed decisions on whether or not to submit reports. We implemented a prototype of our solution and evaluated it with real errors in real programs. The results show that we can produce error reports that allow software vendors to reproduce bugs while revealing almost no private information.
An accountable privacy-preserving scheme for public information sharing systems
Computers & Security
Due to the emergence of data externalization technologies, as cloud and fog computing, setting up public information-sharing applications has become much easier. Yet, many concerns related to information security need to be addressed. While sharing information, privacy is without any doubt one of the major concerns for all users. Several proposals in the literature treated privacy issues using existing anonymization techniques, but few of them considered accountability service. Whereas, when security systems do not adopt accountability mechanisms, full anonymity may encourage users to act maliciously. In this paper, we propose a novel accountable privacypreserving solution for public information sharing in data externalization platforms. Based on signatures, our scheme allows externalization servers to authenticate any user in the system without violating its privacy. In case of misbehavior, our solution allows to trace malicious users thanks to an authority. Moreover, our solution ensures privacy-preserving and accountability services in a completely distributed manner, without a permanent resort to the authority. Finally, we show through experimentation that our solution outperforms existing accountable privacypreserving solutions.
Privacy-preserving and Trusted Threat Intelligence Sharing using Distributed Ledgers
2021 14th International Conference on Security of Information and Networks (SIN), 2021
Threat information sharing is considered as one of the proactive defensive approaches for enhancing the overall security of trusted partners. Trusted partner organizations can provide access to past and current cybersecurity threats for reducing the risk of a potential cyberattack-the requirements for threat information sharing range from simplistic sharing of documents to threat intelligence sharing. Therefore, the storage and sharing of highly sensitive threat information raises considerable concerns regarding constructing a secure, trusted threat information exchange infrastructure. Establishing a trusted ecosystem for threat sharing will promote the validity, security, anonymity, scalability, latency efficiency, and traceability of the stored information that protects it from unauthorized disclosure. This paper proposes a system that ensures the security principles mentioned above by utilizing a distributed ledger technology that provides secure decentralized operations through smart contracts and provides a privacy-preserving ecosystem for threat information storage and sharing regarding the MITRE ATT&CK framework.
NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY*
The Journal of Industrial Economics, 2010
Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and shows that a 'Mandatory Disclosure' regulatory policy is not necessarily welfare improving. The paper then discusses the incentives to invest in product security. An ex-ante reduction in the number of vulnerabilities typically leads to higher prices, greater profits, and higher welfare, but may also induce a (welfareimproving) regime shift from a disclosure to non-disclosure policy. Ex-post investment may induce a (welfare-improving) regime shift in the opposite direction: from nondisclosure to disclosure.