BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Researchers‘ experiences with vulnerability disclosures - Yasemi
 n Acar\, Paderborn University
DTSTART:20250204T140000Z
DTEND:20250204T150000Z
UID:TALK228190@talks.cam.ac.uk
CONTACT:Tina Marjanov
DESCRIPTION:Vulnerabilities are becoming more and more prevalent in scient
 ific research. Researchers usually wish to publish their research and\, be
 fore that\, have the vulnerabilities acknowledged and fixed\, contributing
  to a secure digital world. However\, the vulnerability disclosure process
  is fraught with obstacles\, and handling vulnerabilities is challenging a
 s it involves several parties (vendors\, companies\, customers\, and commu
 nity). We want to shed light on the vulnerability disclosure process and d
 evelop guidelines and best practices\, serving vulnerability researchers a
 s well as the affected parties for better collaboration in disclosing and 
 fixing vulnerabilities.\n\nWe collected more than 1900 research papers pub
 lished at major scientific security conferences and analyzed how disclosur
 es are reported\, finding inconsistent reporting\, as well as spotty ackno
 wledgments and fixes by affected parties. We then conducted semi-structure
 d interviews with 21 security researchers with a broad range of expertise 
 who published their work at scientific security conferences and qualitativ
 ely analyzed the interviews.\n\nWe discovered that the main problem starts
  with even finding the proper contact to disclose. Bug bounty programs or 
 general-purpose contact email addresses\, often staffed by AI or untrained
  personnel\, posed obstacles to timely and effective reporting of vulnerab
 ilities. \n\nExperiences with CERT (entities supposed to help notify affec
 ted parties and facilitate coordinated fixing of vulnerabilities) were inc
 onsistent\, some extremely positive\, some disappointing. Our interviewees
  further talked about lawsuits and public accusations from the vendors\, d
 evelopers\, colleagues\, or even the research community. Successful disclo
 sures often hinge on researcher experience and personal contacts\, which p
 oses personal and professional risks to newer researchers.\n\nWe're workin
 g on making our collected best practices and common pitfalls more widely k
 nown both to researchers and industry\, for more cooperative disclosure ex
 periences.\n\nZoom link: https://cam-ac-uk.zoom.us/j/89699287551?pwd=shaVG
 dAyVagZX2AvrVI9mazeKk8ssI.1\n\nMeeting ID: 896 9928 7551\nPasscode: 471680
 \n\nBio: Yasemin Acar (she/her) is a professor of computer science at Pade
 rborn University\, Germany\, and a research assistant professor at The Geo
 rge Washington University. She focuses on human factors in computer securi
 ty. Her research centers humans\, their comprehension\, behaviors\, wishes
  and needs. She aims to better understand how software can enhance users
 ’ lives without putting their data at risk. Her recent focus has been on
  human factors in secure development\, investigating how to help software 
 developers implement secure software development practices. Her research h
 as shown that working with developers on these issues can resolve problems
  before they ever affect end users. Her research has won distinguished pap
 er awards at IEEE Security and Privacy and USENIX Security\, as well as a 
 NSA best cyber security paper competition. Her web page: https://yaseminac
 ar.de.
LOCATION:Webinar & FW11\, Computer Laboratory\, William Gates Building.
END:VEVENT
END:VCALENDAR