A mixed methods probe into the direct disclosure of software vulnerabilities

Abstract Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

[1]  Chaim Fershtman,et al.  Network Security: Vulnerabilities and Disclosure Policy , 2007, WEIS.

[2]  Laura Johnson,et al.  How Many Interviews Are Enough? , 2006 .

[3]  Pascale Carayon,et al.  A systematic review of mixed methods research on human factors and ergonomics in health care. , 2015, Applied ergonomics.

[4]  Jamie McKeown,et al.  Socio-pragmatic influence on opening salutation and closing valediction of British workplace email , 2015 .

[5]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[6]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[7]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[8]  J. Phillips,et al.  Decisional style, mood and work communication: email diaries , 2011, Ergonomics.

[9]  Uldis Ķinis From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (hereinafter - RVDP): The Latvian approach , 2018, Comput. Law Secur. Rev..

[10]  Gregory R. Heim,et al.  Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication , 2016, Decis. Sci..

[11]  D. Silverman Interpreting Qualitative Data , 1993 .

[12]  Mitsuaki Akiyama,et al.  A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States , 2019, AsiaCCS.

[13]  Hannes Holm,et al.  An expert-based investigation of the Common Vulnerability Scoring System , 2015, Comput. Secur..

[14]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[15]  Susan L. Morrow,et al.  Achieving trustworthiness in qualitative research: A pan-paradigmatic perspective , 2009, Psychotherapy research : journal of the Society for Psychotherapy Research.

[16]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[17]  Edward H. Freeman Vulnerability Disclosure: The Strange Case of Bret McDanel , 2007, Inf. Secur. J. A Glob. Perspect..

[18]  Ming Fang,et al.  Game of detections: how are security vulnerabilities discovered in the wild? , 2015, Empirical Software Engineering.

[19]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[20]  Sam Ransbotham,et al.  Information Disclosure and the Diffusion of Information Security Attacks , 2015, Inf. Syst. Res..

[21]  Miles McQueen,et al.  Are Vulnerability Disclosure Deadlines Justified? , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[22]  Kris Byron Carrying too Heavy a Load? The Communication and Miscommunication of Emotion by Email , 2008 .

[23]  Suprateek Sarker,et al.  Guest editorial: qualitative studies in information systems: a critical review and some guiding principles , 2013 .

[24]  Lefteris Angelis,et al.  The impact of information security events to the stock market: A systematic literature review , 2016, Comput. Secur..

[25]  Tudor Dumitras,et al.  Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits , 2015, USENIX Security Symposium.

[26]  Paulo Shakarian,et al.  Patch Before Exploited: An Approach to Identify Targeted Software Vulnerabilities , 2018, AI in Cybersecurity.

[27]  Jeffrey M. Keisler,et al.  What it takes to get retweeted: An analysis of software vulnerability messages , 2018, Comput. Hum. Behav..

[28]  Sherlock A. Licorish,et al.  Analyzing confidentiality and privacy concerns: insights from Android issue logs , 2015, EASE.

[29]  Rahul Telang,et al.  Competition and patching of security vulnerabilities: An empirical analysis , 2010, Inf. Econ. Policy.

[30]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[31]  Ville Leppänen,et al.  The sigmoidal growth of operating system security vulnerabilities: An empirical revisit , 2015, Comput. Secur..

[32]  Muhammad Ali Babar,et al.  Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification , 2019, 2019 International Conference on Cyberworlds (CW).

[33]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[34]  S. Hesse-Biber Qualitative Approaches to Mixed Methods Practice , 2010 .

[35]  M. Govindarasu,et al.  Cyber vulnerability disclosure policies for the smart grid , 2012, 2012 IEEE Power and Energy Society General Meeting.

[36]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[37]  John Shalf,et al.  Solving Einstein's Equations on Supercomputers , 1999, Computer.

[38]  Ville Leppänen,et al.  A case study on software vulnerability coordination , 2018, Inf. Softw. Technol..

[39]  H. White A Heteroskedasticity-Consistent Covariance Matrix Estimator and a Direct Test for Heteroskedasticity , 1980 .

[40]  Ville Leppänen,et al.  Modeling the delivery of security advisories and CVEs , 2017, Comput. Sci. Inf. Syst..

[41]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[42]  Alysson Neves Bessani,et al.  Analysis of operating system diversity for intrusion tolerance , 2014, Softw. Pract. Exp..

[43]  Vern Paxson,et al.  A Large-Scale Empirical Study of Security Patches , 2017, CCS.

[44]  T. Breurch,et al.  A simple test for heteroscedasticity and random coefficient variation (econometrica vol 47 , 1979 .

[45]  Helen Sharp,et al.  The Role of Ethnographic Studies in Empirical Software Engineering , 2016, IEEE Transactions on Software Engineering.

[46]  Thomas J. Holt,et al.  Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure , 2018, Crime Science.

[47]  Miryung Kim,et al.  An empirical study of supplementary patches in open source projects , 2016, Empirical Software Engineering.

[48]  Jukka Ruohonen,et al.  A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities , 2018, ArXiv.

[49]  Christopher L. Smith,et al.  Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data , 2017, IWSPA@CODASPY.

[50]  Per Runeson,et al.  Case studies synthesis: a thematic, cross-case, and narrative synthesis worked example , 2014, Empirical Software Engineering.