Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure (original) (raw)
Related papers
Why Cooperate? Ethical Analysis of InfoSec Vulnerability Disclosure
2015
Vendors, security consultants and information security researchers seek guidance on if and when to disclose information about specific software or hardware security vulnerabilities. We apply Kantianism to argue that vendors and third parties (InfoSec researchers, consultants, and other interested parties) have an ethical obligation to inform customers and business partners (such as channel partners or providers of complementary products and services) about specific software vulnerabilities (thus addressing if disclosure should occur). We apply Utilitarianism to address the question of when disclosure should occur. By applying these two philosophical perspectives we conclude that to maximize social welfare, vendors should release software fixes as soon as possible, and third parties should adopt a coordinated disclosure policy to avoid placing customers and business partners at unnecessary risk.
Automated Responsible Disclosure of Security Vulnerabilities
IEEE Access, 2021
The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which unfortunately suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors in the past through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD)-a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent vulnerability disclosure practices.
Information Systems Frontiers, 2007
Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software vulnerability has been controversial. On one hand are those who propose full and instant disclosure whether the patch is available or not and on the other hand are those who argue for limited or no disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with disclosure and patching. In this paper, we empirically explore the impact of vulnerability information disclosure and availability of patches on attacks targeting the vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the vulnerability is published and then attacks rapidly decrease with time after publication.
Impact of vulnerability disclosure and patch availability-an empirical analysis
2004
Abstract Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant disclosure, and those of limited or no disclosure. This paper is an attempt to empirically test the impact of vulnerability information disclosure and availability of patches on attackers' tendency to exploit vulnerabilities on one hand and on the vendors' tendency to release patches on the other.
Optimal Policy for Software Vulnerability Disclosure1
2004
Software vulnerabilities represent a serious threat to cyber security, most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically release the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always results in a better patch quality. Another extension allows for some fraction of users to use "work-arounds". We show that the possibility of work-arounds can provide the social planner more leverage and hence the social planner shrinks the protected period. Interestingly, possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who can use the work-arounds on the users who can not. and seminar participants at Stanford University, for their valuable feedback. We also thank the DE, the AE, and two anonymous reviewers for many valuable suggestions, and Ed Barr for suggesting many improvements in the writing.
NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY*
The Journal of Industrial Economics, 2010
Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and shows that a 'Mandatory Disclosure' regulatory policy is not necessarily welfare improving. The paper then discusses the incentives to invest in product security. An ex-ante reduction in the number of vulnerabilities typically leads to higher prices, greater profits, and higher welfare, but may also induce a (welfareimproving) regime shift from a disclosure to non-disclosure policy. Ex-post investment may induce a (welfare-improving) regime shift in the opposite direction: from nondisclosure to disclosure.
Internet Security, Vulnerability Disclosure and Software Provision
2005
In this paper, we examine how software vulnerabilities affect firms that license software and consumers that purchase software. In particular, we model three decisions of the firm: (i) an upfront investment in the quality of the software to reduce potential vulnerabilities; (ii) a policy decision whether to announce vulnerabilities; and (iii) a price for the software. We also model two
Responsibility for the Harm and Risk of Software Security Flaws
Interdisciplinary Perspectives
Software vulnerabilities are a vexing problem for the state of information assurance and security. Who is responsible for the risk and harm of software security is controversial. Deliberation of the responsibility for harm and risk due to software security flaws requires considering how incentives (and disincentives) and network effects shape the practices of vendors and adopters, and the consequent effects on the state of software security. This chapter looks at these factors in more detail in the context of private markets and public welfare.