Researchers‘ experiences with vulnerability disclosures

Add to your list(s) Download to your calendar using vCal

• Yasemin Acar, Paderborn University
• Tuesday 04 February 2025, 14:00-15:00
• Webinar & FW11, Computer Laboratory, William Gates Building..

If you have a question about this talk, please contact Tina Marjanov.

Vulnerabilities are becoming more and more prevalent in scientific research. Researchers usually wish to publish their research and, before that, have the vulnerabilities acknowledged and fixed, contributing to a secure digital world. However, the vulnerability disclosure process is fraught with obstacles, and handling vulnerabilities is challenging as it involves several parties (vendors, companies, customers, and community). We want to shed light on the vulnerability disclosure process and develop guidelines and best practices, serving vulnerability researchers as well as the affected parties for better collaboration in disclosing and fixing vulnerabilities.

We collected more than 1900 research papers published at major scientific security conferences and analyzed how disclosures are reported, finding inconsistent reporting, as well as spotty acknowledgments and fixes by affected parties. We then conducted semi-structured interviews with 21 security researchers with a broad range of expertise who published their work at scientific security conferences and qualitatively analyzed the interviews.

We discovered that the main problem starts with even finding the proper contact to disclose. Bug bounty programs or general-purpose contact email addresses, often staffed by AI or untrained personnel, posed obstacles to timely and effective reporting of vulnerabilities.

Experiences with CERT (entities supposed to help notify affected parties and facilitate coordinated fixing of vulnerabilities) were inconsistent, some extremely positive, some disappointing. Our interviewees further talked about lawsuits and public accusations from the vendors, developers, colleagues, or even the research community. Successful disclosures often hinge on researcher experience and personal contacts, which poses personal and professional risks to newer researchers.

We’re working on making our collected best practices and common pitfalls more widely known both to researchers and industry, for more cooperative disclosure experiences.

Zoom link: https://cam-ac-uk.zoom.us/j/89699287551?pwd=shaVGdAyVagZX2AvrVI9mazeKk8ssI.1

Meeting ID: 896 9928 7551 Passcode: 471680

Bio: Yasemin Acar (she/her) is a professor of computer science at Paderborn University, Germany, and a research assistant professor at The George Washington University. She focuses on human factors in computer security. Her research centers humans, their comprehension, behaviors, wishes and needs. She aims to better understand how software can enhance users’ lives without putting their data at risk. Her recent focus has been on human factors in secure development, investigating how to help software developers implement secure software development practices. Her research has shown that working with developers on these issues can resolve problems before they ever affect end users. Her research has won distinguished paper awards at IEEE Security and Privacy and USENIX Security, as well as a NSA best cyber security paper competition. Her web page: https://yaseminacar.de.

This talk is part of the Computer Laboratory Security Seminar series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Computer Laboratory Security Seminar
• Department of Computer Science and Technology talks and seminars
• Interested Talks
• School of Technology
• Security-related talks
• Trust & Technology Initiative - interesting events
• Webinar & FW11, Computer Laboratory, William Gates Building.
• bld31

Note that ex-directory lists are not shown.