Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Walshe, Thomas; Simpson, Andrea

doi:10.1016/j.cose.2022.102936

Cited by 13 publications

(5 citation statements)

References 55 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the primary expected outcome of each policy is highlighted, it may also apply to other evaluated alternatives. In addition, using these policies concurrently is consistent with the best practices outlined in the literature (Walshe & Simpson, 2022) and the cybersecurity approach of a layered defence. 7…”

Section: Evaluated Alternativessupporting

confidence: 64%

“…In this alternative, governments may encourage or enforce vulnerability disclosure programs (VDPs) or bug bounty programs (BBPs) in specific vertical segments. The first program type allows researchers to safely submit their reports to organisations without receiving cash rewards, and the latter offers monetary awards for unique (unknown) valid discoveries (Walshe & Simpson, 2022). Organisations operating bug bounty programs often fail to convey all the formal constraints applicable to hackers, requiring them to understand the laws underpinning safe and legal security research (Walshe & Simpson, 2023).…”

Section: Support Bug Bounty Programs and Platformsmentioning

confidence: 99%

“…Additionally, the access level of researchers to the code can impact their ability to find bugs (Schryen & Kadura, 2009). While more researchers testing the code increase the number of discovered vulnerabilities (Maillart et al, 2017), high volumes of low-quality reports can burden operators and consume resources (Walshe & Simpson, 2022). Furthermore, contests can encourage innovation, but admitting more competitors can create tension between innovation and incentives for all players (Terwiesch & Xu, 2008).…”

Section: Trade-offs Tensions and Misalignmentsmentioning

confidence: 99%

See 2 more Smart Citations

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Zrahia

2024

Internet Policy Review

View full text Add to dashboard Cite

As societies become increasingly dependent on digital means, organisations seek ways to prevent software exploitation by eliminating vulnerabilities or acquiring them as products. However, there is an ongoing debate regarding the extent to which governments should become involved in markets for vulnerability sharing. This paper examines the economics of vulnerabilities and outlines possible areas for governmental interventions. I survey three policy alternatives to support the discovery and disclosure of software vulnerabilities: integrating security and penetration testing into the software development life cycle, acquiring exploitable critical vulnerabilities by governments, and promoting bug bounty programs and platforms as vulnerability-sharing structures. For each suggested alternative, I present an impact matrix to qualitatively measure the effectiveness and efficiency of the vulnerability discovery process and the attractiveness, legality and trustworthiness of the disclosure process. I argue that bug bounty programs that bring together organisations and ethical hackers to trade vulnerabilities produce the highest impact. These gig economy structures are often based on two-sided digital market platforms as their foundation and offer a low entry barrier and assurance level for both market players. The discussion provides a foundation for governmental decision-makers to design effective policies for sharing vulnerabilities. Issue 1 1. Examples include the National Cyber Security Centre (NCSC) in the UK, and the Cybersecurity and Infrastructure Security Agency (CISA) in the US.

show abstract

Section: Evaluated Alternativessupporting

confidence: 64%

Section: Support Bug Bounty Programs and Platformsmentioning

confidence: 99%

Section: Trade-offs Tensions and Misalignmentsmentioning

confidence: 99%

See 1 more Smart Citation

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Zrahia

2024

Internet Policy Review

View full text Add to dashboard Cite

show abstract

“…At the same time, these procedures make it clear to recipients of disclosure notices how the University will handle this process, and what can be expected and when. Publishing this policy generally beforehand can prevent many discussions during the disclosure process, and will hopefully also prevent the recipient from feeling like they are being pressured or even extorted [18].…”

Section: Embedding the Cvd Procedures In University Policymentioning

confidence: 99%

Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines to Practice

Reidsma¹,

Ham²,

Continella³

2023

Proceedings of the 2nd International Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Cybersecurity research involves ethics risks such as accidental privacy breaches, corruption of production services, and discovery of weaknesses in networked systems. Although literature describes these and other issues in some depth, reflection on these issues is not yet well embedded in typical Ethics Review Board procedures. In this paper, we operationalize existing guidance on cybersecurity research ethics into a proposal that can be directly implemented in an Ethics Review Board. We provide a set of self-assessment questions to effectively and efficiently probe the ethics of proposed cybersecurity research, a Coordinated Vulnerability Disclosure procedure for discoveries made in the course of research, and an outline of a university policy to institutionally embed this procedure, which could be adapted and adopted by research institutes. With this paper, we hope to contribute to more Ethics Review Boards taking up the challenge of addressing cybersecurity research ethics in an adequate and productive manner.

show abstract

“…Taking an analytical and empirical perspective, Massacci and Nguyen [21] evaluated different mathematical vulnerability discovery models, which can be beneficial for vendors and users in terms of predicting vulnerability trends, adapting patching and update schedules, and allocating security investments. Prior works also investigated the empirical facets of vulnerability discovery in the context of bug bounty programs (e.g., [8], [18], [19], [31], [32], [1], and [7]); however, research on rediscovery of vulnerabilities is sparse. Ozment [24] provided data on rediscovery frequency based on Microsoft's vulnerability bulletins and concluded that rediscovery is not negligible and should be explicitly considered in discovery models.…”

Section: Related Workmentioning

confidence: 99%

The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox

Atefi¹,

Sivagnanam²,

Ayman³

et al. 2023

Preprint

View full text Add to dashboard Cite

Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). However, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on properties of the reported vulnerabilities, such as severity or exploitability. Importantly, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors. CCS CONCEPTS• Security and privacy → Economics of security and privacy; Software and application security; • Information systems → Browsers; World Wide Web.

show abstract

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Cited by 13 publications

References 55 publications

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines to Practice

The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox

Contact Info

Product

Resources

About