Vulnerability Disclosure Considered Stressful-Reference-Cited by-同舟云学术

Vulnerability Disclosure Considered Stressful

Published:2023-04-30 Issue:2 Volume:53 Page:2-10
ISSN:0146-4833
Container-title:ACM SIGCOMM Computer Communication Review
language:en
Short-container-title:SIGCOMM Comput. Commun. Rev.

Author:

Moura Giovane C. M.¹,Heidemann John²

Affiliation:

1. SIDN Labs and TU Delft, Arnhem and Delft, The Netherlands

2. USC/ISI and CS Dept., Los Angeles, California, USA

Abstract

Vulnerability disclosure is a widely recognized practice in the software industry, but there is a lack of literature detailing the firsthand experiences of researchers who have gone through the process. This work aims to bridge that gap by sharing our personal experience of accidentally discovering a DNS vulnerability and navigating the vulnerability disclosure process for the first time. We document our mistakes and highlight the important lessons we learned, such as the fact that public disclosure can be effective but can also be more time-consuming and emotionally taxing than anticipated. Additionally, we discuss the ethical considerations and potential consequences that may arise during each step of the disclosure process. Lastly, drawing from our own experiences, we identify and discuss issues with the current disclosure process and propose recommendations for its improvement. Our ultimate aim is to provide valuable insights to fellow researchers who may encounter similar challenges in the future and contribute to the enhancement of the overall disclosure process for the benefit of the wider community.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3610381.3610383

Reference55 articles.

1. ACM. 2023. ACM Code of Ethics and Professional Conduct. https://www.acm.org/code-of-ethics ACM. 2023. ACM Code of Ethics and Professional Conduct. https://www.acm.org/code-of-ethics

2. ACM. 2023. CISA Coordinated Vulnerability Disclosure (CVD) Process. https://www.cisa.gov/coordinated-vulnerability-disclosure-process ACM. 2023. CISA Coordinated Vulnerability Disclosure (CVD) Process. https://www.cisa.gov/coordinated-vulnerability-disclosure-process

3. Software vulnerability markets: Discoverers and buyers;Algarni Abdullah M;International Journal of Computer and Information Engineering,2014

4. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis

5. Economics of software vulnerability disclosure

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Comparison of Methods for Automatically Predicting CVSS Base Vector;2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC);2024-07-02

2. Three Challenges to Secure AI Systems in the Context of AI Regulations;IEEE Access;2024