Abstract

Vulnerabilities are becoming more and more prevalent in scientific research. Researchers usually wish to publish their research and, before that, have the vulnerabilities acknowledged and fixed, contributing to a secure digital world. However, the vulnerability disclosure process is fraught with obstacles, and handling vulnerabilities is challenging as it involves several parties (vendors, companies, customers, and community). We want to shed light on the vulnerability disclosure process and develop guidelines and best practices, serving vulnerability researchers as well as the affected parties for better collaboration in disclosing and fixing vulnerabilities.

We collected more than 1900 research papers published at major scientific security conferences and analyzed how disclosures are reported, finding inconsistent reporting, as well as spotty acknowledgments and fixes by affected parties. We then conducted semi-structured interviews with 21 security researchers with a broad range of expertise who published their work at scientific security conferences and qualitatively analyzed the interviews.

We discovered that the main problem starts with even finding the proper contact to disclose. Bug bounty programs or general-purpose contact email addresses, often staffed by AI or untrained personnel, posed obstacles to timely and effective reporting of vulnerabilities.

Experiences with CERT (entities supposed to help notify affected parties and facilitate coordinated fixing of vulnerabilities) were inconsistent, some extremely positive, some disappointing. Our interviewees further talked about lawsuits and public accusations from the vendors, developers, colleagues, or even the research community. Successful disclosures often hinge on researcher experience and personal contacts, which poses personal and professional risks to newer researchers.

We’re working on making our collected best practices and common pitfalls more widely known both to researchers and industry, for more cooperative disclosure experiences.

Zoom link: https://cam-ac-uk.zoom.us/j/89699287551?pwd=shaVGdAyVagZX2AvrVI9mazeKk8ssI.1

Meeting ID: 896 9928 7551 Passcode: 471680

Bio: Yasemin Acar (she/her) is a professor of computer science at Paderborn University, Germany, and a research assistant professor at The George Washington University. She focuses on human factors in computer security. Her research centers humans, their comprehension, behaviors, wishes and needs. She aims to better understand how software can enhance users’ lives without putting their data at risk. Her recent focus has been on human factors in secure development, investigating how to help software developers implement secure software development practices. Her research has shown that working with developers on these issues can resolve problems before they ever affect end users. Her research has won distinguished paper awards at IEEE Security and Privacy and USENIX Security, as well as a NSA best cyber security paper competition. Her web page: https://yaseminacar.de.