Weiheng Bai and Qiushi Wu (University of Minnesota)

Vulnerability research is vital to mitigating cyberattacks, which tries to devise new approaches to discover new vulnerabilities. As an ethical research guideline, researchers are expected to report the found vulnerabilities to the corresponding vendors before disclosing them (e.g., publishing a paper), which is known as the responsible-disclosure process. Undoubtedly, the intention of responsible disclosure is to help improve the security of software. We observe that the current responsible disclosure may not be as effective as expected. In particular, reports can be significantly delayed or completely ignored. Reports for securitycritical vulnerabilities are often publicly disclosed, which can potentially be abused by attackers.

In this work, we plan to study the effectiveness of the existing responsible disclosure. Two major questions we aim to answer are: (1) Are security-critical bug reports commonly disclosed publicly in the first place? (2) What factors of a bug report contribute to delaying or ignoring? By answering the questions, we aim to provide insights into how to improve the quality of bug reports and the effectiveness of responsible disclosure. In this paper, we present our preliminary results of this work. We take the Linux reports and patch history as an example. We found that at least in Linux, most security bugs are publicly disclosed before they are fixed, and that factors such as length of reports, author experience, and author affiliations have an impact on the delay of patching. In the end, we also present our plans for future work.

View More Papers

DOITRUST: Dissecting On-chain Compromised Internet Domains via Graph Learning

Shuo Wang (CSIRO's Data61 & Cybersecurity CRC, Australia), Mahathir Almashor (CSIRO's Data61 & Cybersecurity CRC, Australia), Alsharif Abuadbba (CSIRO's Data61 & Cybersecurity CRC, Australia), Ruoxi Sun (CSIRO's Data61), Minhui Xue (CSIRO's Data61), Calvin Wang (CSIRO's Data61), Raj Gaire (CSIRO's Data61 & Cybersecurity CRC, Australia), Surya Nepal (CSIRO's Data61 & Cybersecurity CRC, Australia), Seyit Camtepe (CSIRO's…

Read More

Double and Nothing: Understanding and Detecting Cryptocurrency Giveaway Scams

Xigao Li (Stony Brook University), Anurag Yepuri (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Read More

CHKPLUG: Checking GDPR Compliance of WordPress Plugins via Cross-language...

Faysal Hossain Shezan (University of Virginia), Zihao Su (University of Virginia), Mingqing Kang (Johns Hopkins University), Nicholas Phair (University of Virginia), Patrick William Thomas (University of Virginia), Michelangelo van Dam (in2it), Yinzhi Cao (Johns Hopkins University), Yuan Tian (UCLA)

Read More

VASP: V2X Application Spoofing Platform

Mohammad Raashid Ansari, Jonathan Petit, Jean-Philippe Monteuuis, Cong Chen (Qualcomm Technologies, Inc.)

Read More