Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure

In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in IT-systems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system’s owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost–benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included.

[1]  Luca Allodi,et al.  Economic Factors of Vulnerability Trade and Exploitation , 2017, CCS.

[2]  Michael Nycyk,et al.  Computer hackers in virtual community forums: Identity shaping and dominating other hackers , 2010 .

[3]  Paul van Schaik,et al.  Risk perceptions of cyber-security and precautionary behaviour , 2017, Comput. Hum. Behav..

[4]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[5]  Nir Kshetri,et al.  Positive externality, increasing returns, and the rise in cybercrimes , 2009, Commun. ACM.

[6]  Paul A. Taylor,et al.  Hackers: Crime in the Digital Sublime , 1999 .

[8]  Kevin F. Steinmetz Hacked: A Radical Approach to Hacker Culture and Crime , 2016 .

[9]  D. Wall Cybercrime: The Transformation of Crime in the Information Age , 2007 .

[10]  T. Jordan,et al.  A Sociology of Hackers , 1998 .

[11]  Michel Cukier,et al.  The Effect of a Surveillance Banner in an Attacked Computer System , 2015 .

[12]  Michel Cukier,et al.  RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM , 2014 .

[13]  T. Holt subcultural evolution? examining the influence of on- and off-line experiences on deviant subcultures , 2007 .

[14]  M. Kranenbarg,et al.  Cyber-offenders versus traditional offenders : An empirical comparison , 2018 .

[15]  Niels Provos,et al.  Cybercrime 2.0: when the cloud turns dark , 2009, CACM.

[16]  Olga V. Smyslova,et al.  Flow-Based Model of Computer Hackers' Motivation , 2003, Cyberpsychology Behav. Soc. Netw..

[17]  W. Bernasco,et al.  Cyber-Offending and Traditional Offending over the Life-Course: an Empirical Comparison , 2018, Journal of developmental and life-course criminology.

[18]  Cheng Huang,et al.  A study on Web security incidents in China by analyzing vulnerability disclosure platforms , 2016, Comput. Secur..

[19]  Michel Cukier,et al.  Illegal Roaming and File Manipulation on Target Computers: Assessing the Effect of Sanction Threats on System Trespassers’ Online Behaviors , 2017 .

[20]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[21]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[22]  Bruce Schneier,et al.  Taking Stock: Estimating Vulnerability Rediscovery , 2017 .

[23]  Hyung-Jin Woo The hacker mentality : exploring the relationship between psychological variables and hacking activities , 2003 .

[24]  T. Holt,et al.  Offending and Victimization in the Digital Age: Comparing Correlates of Cybercrime and Traditional Offending-Only, Victimization-Only and the Victimization-Offending Overlap , 2019 .

[25]  Lillian Ablon,et al.  Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits , 2017 .

[26]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[27]  Profiling Cybercrime Perpetrators in China and its Policy Countermeasures , 2015 .

[28]  Susan Landau,et al.  Communications surveillance , 2009, Commun. ACM.

[29]  T. Holt,et al.  Cybercrime in Progress: Theory and prevention of technology-enabled offenses , 2015 .