You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications
Title | You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Li, F., Durumeric Z., Czyz J., Karami M., Bailey M., McCoy D., Savage S., & Paxson V. |
Published in | Proceedings of the 25th USENIX Security Symposium |
Date Published | 08/2016 |
Abstract | Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy. The vulnerabilities used to drive our study span a range of protocols and considerations: exposure of industrial control systems; apparent firewall omissions for IPv6-based services; and exploitation of local systems in DDoS amplification attacks. We monitored vulnerable systems for several weeks to determine their rate of remediation. By comparing with experimental controls, we analyze the impact of a number of variables: choice of party to contact (WHOIS abuse contacts versus national CERTs versus US-CERT), message verbosity, hosting an information website linked to in the message, and translating the message into the notified party’s local language. We also assess the outcome of the emailing process itself (bounces, automated replies, human replies, silence) and characterize the sentiments and perspectives expressed in both the human replies and an optional anonymous survey that accompanied our notifications. |
URL | http://www.icir.org/vern/papers/sec16-vuln-notifications.pdf |
ICSI Research Group | Networking and Security |