Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge

IEEE Transactions on Software Engineering

Volumn 33, Issue 3, 2007, Pages 171-185

  Cavusoglu, Hasan ^a   Cavusoglu, Huseyin ^b   Raghunathan, Srinivasan ^b  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

^b UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

Disclosure mechanisms; Economic modeling; Game theory; Information security; Responsible vulnerability disclosure; Software vulnerabilities

Indexed keywords

DATA PRIVACY; ECONOMIC AND SOCIAL EFFECTS; GAME THEORY; INFORMATION DISSEMINATION; KNOWLEDGE MANAGEMENT;

DISCLOSURE MECHANISMS; ECONOMIC MODELLING; SOFTWARE VULNERABILITY; VULNERABILITY DISCLOSURE;

COMPUTER PRIVACY;

EID: 33947376004     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSE.2007.26     Document Type: Article

References (36)

1. "ASPR Notification and Publishing Policy," Across, www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm, 2004.
2. W.A. Arbaugh, W.L. Fithen, and J. McHugh, "Windows of Vulnerability: A Case Study Analysis," Computer, vol. 33, no. 12, pp. 52-59, Dec. 2002.
3. A. Arora, A.R. Telang, and H. Xu, "Optimal Policy for Software Vulnerability Disclosure," Proc. Workshop Economics of Information Security, 2004.
4. T. August and T.I. Tunca, "Network Software Security and User Incentives," Management Science, vol. 52, no. 11, pp. 1703-1720, 2006.
5. "Organization for Internet Safety Issues a Public Comment Draft for Security Vulnerability Reporting and Response Guide," BindView, http://www.bindview.com/News/display.cfm?Release=2003/0604b.txt/, 2003.
6. H.K. Browne, W.A. Arbaugh, J. McHugh, and W.L. Fithen, "A Trend Analysis of Exploitations," Proc. IEEE Symp. Security and Privacy, pp. 214-229, May 2001.
7. H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, "Economics of IT Security Management: Four Improvements to Current Security Practices," Comm. AIS, vol. 14, article 3, July 2004.
8. H. Cavusoglu, H. Cavusoglu, and J. Zhang, "Security Patch Management: Can't Live with It, Can't Live without It," Proc. Workshop Information Technology and Systems, Dec. 2004.
9. "Locking Windows," CBS News.com, 16 Jan. 2002.
10. "Vulnerability Disclosure Policy,"CERT Coordination Center, 2000.
11. J.C. Chambers and J.W. Thompson, "Vulnerability Disclosure Framework: Final Report and Recommendations by the Council," US Nat'l Infrastructure Advisory Council, 13 Jan. 2004.
12. S. Culp, "Definition of a Security Vulnerability," MicrosoftTech-Net, 2000.
13. "CYBSEC Security Vulnerability Disclosure Policy," http:// www.cybsec.com/vulnerability_policy.pdf, 2004.
14. "Upcoming Advisories," eEyes, http://www.eeye.com/html/research/upcoming/index.html, 2004.
15. D. Fisher, "CERT, Feds Consider New Reporting Process," eWeek, 24 Mar. 2003.
16. T. Havana, "Communication in the Software Vulnerability Reporting Process," MA thesis, Univ. Jyväskylä, 2003.
17. K. Kannan,, R. Telang, and H. Xu, "Economic Analysis of the Market for Software Vulnerability Disclosure, Proc. 37th Hawaii Int'l Conf. System Sciences, 2004.
18. M. Laakso, A. Takanen, and J. Röning, "The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases," Proc. 11th FIRST Conf. Computer Security Incident Handling and Response, 1999.
19. "Procedures for Handling Security Patches," NIST 800-40, US Nat'l Inst. Standards and Technology, 2002.
20. D. Nizovtsev and M. Thursby, "Economic Analysis of Incentives to Disclose Software Vulnerabilities," Proc. Workshop Economics of Information Security, 2005.
21. "Guidelines for Security Vulnerability Reporting and Response," version 2.0, Organization for Internet Safety, 1 Sept. 2004.
22. A. Ozment, " Bug Auctions: Vulnerability Markets Reconsidered," Proc. Workshop Economics of Information Security, 2004.
23. A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," Proc. Workshop Economics of Information Security, 2005.
24. W. Pond, "Do Security Holes Demand Full Disclosure?" ZDNet, 15 Aug. 2000.
25. E. Preston and J. Lofton, "Computer Security Publications: Information Economics, Shifting Liability and the First Amendment," Whittier Law Rev., vol. 24, pp. 71-142, 2002.
26. M.J. Ranum, "Vulnerability Disclosure - Let's Be Honest about Motives Shall We?" http://www.ranum.com/security/computer_security/index.html 2004.
27. E. Rescorla, "Is Finding Security Holes a Good Idea?" Proc. Workshop Economics of Information Security, 2004.
28. Secure Business Quarterly, special issue vulnerability disclosure, vol. 2, 2002.
29. S. Schechter, "How to Buy Better Testing: Using Competition to Get the Most Security and Robustness for Your Dollar," Proc. Infrastructure Security Conf., 2002.
30. J. Schiller, "Responsible Vulnerability Disclosure: A Hard Problem," Secure Business Quarterly, vol. 2, no. 1-5, 2002.
31. B. Schneier, "Bug Secrecy vs. Full Disclosure," ZDNet TechUpdate, 14 Nov. 2001.
32. S. Shepherd, "Vulnerability Disclosure: How Do We Define Responsible Disclosure?" GIAC SEC Practical Repository, SANS Inst., 2003
33. A. Stone, "Software Flaws: To Tell or not to Tell?" Computer, vol. 20, no. 1, pp. 70-73, 2003.
34. A. Takanen, P. Vuorijarvi, M. Laakso, and J. Roning, "Agents of Responsibility in Software Vulnerability Processes," Ethics and Information Technology, vol. 6, no. 2, pp. 93-110, 2004.
35. H.R. Varian, "Managing Online Security Risks," New York Times, 1 June 2000.
36. J. Vijayam, "Bug Disclosure, Fix Process Improving," Computerworld, 10 Mar. 2003.