Abstract
The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which unfortunately suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors in the past through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent vulnerability disclosure practices.
Highlights
Nowadays, when a significant portion of a person’s life is dependent on digital systems, the security of those systems has become crucial due to the increasing number of cyber-attacks [1]
Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors in the past through intimidation and malpractice
The approaches are typically categorized as full vendor disclosure, full public disclosure, and responsible disclosure [7]–[11]: the full vendor disclosure approach restricts the communication of the vulnerability only to the vendor, which makes it too opaque for the public, the full public disclosure method favors warning the public, which may aid cyber-criminals, while the responsible disclosure approach tries to find a balance between the other two approaches by disclosing the vulnerability to the public only when a patch is released or when the time period to release a patch has expired
Summary
Nowadays, when a significant portion of a person’s life is dependent on digital systems, the security of those systems has become crucial due to the increasing number of cyber-attacks [1]. The approaches are typically categorized as full vendor disclosure, full public disclosure, and responsible disclosure [7]–[11]: the full vendor disclosure approach restricts the communication of the vulnerability only to the vendor, which makes it too opaque for the public, the full public disclosure method favors warning the public, which may aid cyber-criminals, while the responsible disclosure approach tries to find a balance between the other two approaches by disclosing the vulnerability to the public only when a patch is released or when the time period to release a patch has expired The rest of the paper is organized as follows: Section II provides the background on security vulnerabilities, distributed ledgers, and interledger technologies; Section III describes the existing vulnerability disclosure approaches in more detail; Sections IV and V present the design and an implementation of an ARD system, respectively; Section VI evaluates the system with quantitative measurements; Section VII qualitatively analyses the solution and Section VIII discusses the implications and future work; Section IX concludes the paper
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
