Automated Responsible Disclosure of Security Vulnerabilities
The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense...
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2022-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9606687/ |
| _version_ | 1819275663740239872 |
|---|---|
| author | Andrea Lisi Prateeti Mukherjee Laura De Santis Lei Wu Dmitrij Lagutin Yki Kortesniemi |
| author_facet | Andrea Lisi Prateeti Mukherjee Laura De Santis Lei Wu Dmitrij Lagutin Yki Kortesniemi |
| author_sort | Andrea Lisi |
| collection | DOAJ |
| description | The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices. |
| first_indexed | 2024-12-23T23:27:54Z |
| format | Article |
| id | doaj.art-7c372615b8584074925c63eb326e2578 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-12-23T23:27:54Z |
| publishDate | 2022-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-7c372615b8584074925c63eb326e25782022-12-21T17:26:10ZengIEEEIEEE Access2169-35362022-01-0110104721048910.1109/ACCESS.2021.31264019606687Automated Responsible Disclosure of Security VulnerabilitiesAndrea Lisi0https://orcid.org/0000-0002-4713-989XPrateeti Mukherjee1Laura De Santis2Lei Wu3https://orcid.org/0000-0002-9649-613XDmitrij Lagutin4https://orcid.org/0000-0002-5695-3201Yki Kortesniemi5https://orcid.org/0000-0003-2812-3435Department of Computer Science, University of Pisa, Pisa, ItalyDepartment of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, FinlandDepartment of Industrial Engineering, University of Salerno, Fisciano, ItalyDepartment of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, FinlandDepartment of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, FinlandDepartment of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, FinlandThe disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.https://ieeexplore.ieee.org/document/9606687/Responsible disclosureautomated responsible disclosuresecurity vulnerabilityprivacydistributed ledgerinterledger |
| spellingShingle | Andrea Lisi Prateeti Mukherjee Laura De Santis Lei Wu Dmitrij Lagutin Yki Kortesniemi Automated Responsible Disclosure of Security Vulnerabilities IEEE Access Responsible disclosure automated responsible disclosure security vulnerability privacy distributed ledger interledger |
| title | Automated Responsible Disclosure of Security Vulnerabilities |
| title_full | Automated Responsible Disclosure of Security Vulnerabilities |
| title_fullStr | Automated Responsible Disclosure of Security Vulnerabilities |
| title_full_unstemmed | Automated Responsible Disclosure of Security Vulnerabilities |
| title_short | Automated Responsible Disclosure of Security Vulnerabilities |
| title_sort | automated responsible disclosure of security vulnerabilities |
| topic | Responsible disclosure automated responsible disclosure security vulnerability privacy distributed ledger interledger |
| url | https://ieeexplore.ieee.org/document/9606687/ |
| work_keys_str_mv | AT andrealisi automatedresponsibledisclosureofsecurityvulnerabilities AT prateetimukherjee automatedresponsibledisclosureofsecurityvulnerabilities AT lauradesantis automatedresponsibledisclosureofsecurityvulnerabilities AT leiwu automatedresponsibledisclosureofsecurityvulnerabilities AT dmitrijlagutin automatedresponsibledisclosureofsecurityvulnerabilities AT ykikortesniemi automatedresponsibledisclosureofsecurityvulnerabilities |