Weiheng Bai and Qiushi Wu (University of Minnesota)

Vulnerability research is vital to mitigating cyberattacks, which tries to devise new approaches to discover new vulnerabilities. As an ethical research guideline, researchers are expected to report the found vulnerabilities to the corresponding vendors before disclosing them (e.g., publishing a paper), which is known as the responsible-disclosure process. Undoubtedly, the intention of responsible disclosure is to help improve the security of software. We observe that the current responsible disclosure may not be as effective as expected. In particular, reports can be significantly delayed or completely ignored. Reports for securitycritical vulnerabilities are often publicly disclosed, which can potentially be abused by attackers.

In this work, we plan to study the effectiveness of the existing responsible disclosure. Two major questions we aim to answer are: (1) Are security-critical bug reports commonly disclosed publicly in the first place? (2) What factors of a bug report contribute to delaying or ignoring? By answering the questions, we aim to provide insights into how to improve the quality of bug reports and the effectiveness of responsible disclosure. In this paper, we present our preliminary results of this work. We take the Linux reports and patch history as an example. We found that at least in Linux, most security bugs are publicly disclosed before they are fixed, and that factors such as length of reports, author experience, and author affiliations have an impact on the delay of patching. In the end, we also present our plans for future work.

View More Papers

RoVISQ: Reduction of Video Service Quality via Adversarial Attacks...

Jung-Woo Chang (University of California San Diego), Mojan Javaheripi (University of California San Diego), Seira Hidano (KDDI Research, Inc.), Farinaz Koushanfar (University of California San Diego)

Read More

Non-Interactive Privacy-Preserving Sybil-Free Authentication Scheme in VANETs

Mahdi Akil (Karlstad University), Leonardo Martucci (Karlstad University), Jaap-Henk Hoepman (Radboud University)

Read More

Securing Federated Sensitive Topic Classification against Poisoning Attacks

Tianyue Chu (IMDEA Networks Institute), Alvaro Garcia-Recuero (IMDEA Networks Institute), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft), Nikolaos Laoutaris (IMDEA Networks Institute)

Read More

BANS: Evaluation of Bystander Awareness Notification Systems for Productivity...

Shady Mansour (LMU Munich), Pascal Knierim (Universitat Innsbruck), Joseph O’Hagan (University of Glasgow), Florian Alt (University of the Bundeswehr Munich), Florian Mathis (University of Glasgow)

Read More