Automated Responsible Disclosure of Security Vulnerabilities

Andrea Lisi; Prateeti Mukherjee; Laura De Santis; Lei Wu; Dmitrij Lagutin; Yki Kortesniemi

doi:10.1109/ACCESS.2021.3126401

Automated Responsible Disclosure of Security Vulnerabilities

Andrea Lisi^*
, Prateeti Mukherjee
, Laura De Santis
, Lei Wu
, Dmitrij Lagutin
, Yki Kortesniemi

^*Tämän työn vastaava kirjoittaja

University of Pisa
IIT-CNR
University of Salerno

Tutkimustuotos: Lehtiartikkeli › Article › Scientific › vertaisarvioitu

5 Sitaatiot (Scopus)

212 Lataukset (Pure)

Abstrakti

The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.

Alkuperäiskieli	Englanti
Sivut	10472-10489
Sivumäärä	18
Julkaisu	IEEE Access
Vuosikerta	10
DOI - pysyväislinkit	https://doi.org/10.1109/ACCESS.2021.3126401
Tila	Julkaistu - 8 marrask. 2021
OKM-julkaisutyyppi	A1 Alkuperäisartikkeli tieteellisessä aikakauslehdessä

YK:n kestävän kehityksen tavoitteet

Tämä tuotos edistää seuraavia kestävän kehityksen tavoitteita:

SDG 11 – Kestävät kaupungit ja yhteisöt

Pääsy asiakirjaan

10.1109/ACCESS.2021.3126401Lisenssi: CC BY

Automated_Responsible_Disclosure_of_Security_VulnerabilitiesFinal published version, 2,12 MBLisenssi: CC BY

Muut tiedostot ja linkit

Linkki julkaisuun Scopuksessa

1 Päättynyt

SOFIE: Secure Open Federation for Internet Everywhere
Nikander, P. (Vastuullinen johtaja), Wu, L. (Projektin jäsen), Mukherjee, P. (Projektin jäsen), Talebi, A. (Projektin jäsen), Lisi, A. (Projektin jäsen), Ghorbani, M. (Projektin jäsen), Pahlevan, M. (Projektin jäsen), Hoseini, S. (Projektin jäsen), Paavolainen, S. (Projektin jäsen), Ruutu, S. (Projektin jäsen), Biswas, S. (Projektin jäsen), Lagutin, D. (Projektin jäsen), Huttunen, J. (Projektin jäsen), Kortesniemi, Y. (Projektin jäsen), Tabatabaee, A. (Projektin jäsen), Elo, T. (Projektin jäsen), Lassila, P. (Projektin jäsen) & Mattila, J. (Projektin jäsen)
27/12/2017 → 31/12/2020
Projekti: EU: Framework programmes funding

Siteeraa tätä

@article{89ac88551feb4cb18baf6946964d7ee9,

title = "Automated Responsible Disclosure of Security Vulnerabilities",

abstract = "The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.",

keywords = "Distributed ledger, Privacy, Computer bugs, Smart contracts, Public transportation, Prototypes, Peer-to-peer computing",

author = "Andrea Lisi and Prateeti Mukherjee and Santis, \{Laura De\} and Lei Wu and Dmitrij Lagutin and Yki Kortesniemi",

note = "| openaire: EC/H2020/779984/EU//SOFIE",

year = "2021",

month = nov,

day = "8",

doi = "10.1109/ACCESS.2021.3126401",

language = "English",

volume = "10",

pages = "10472--10489",

journal = "IEEE Access",

issn = "2169-3536",

publisher = "IEEE",

}

TY - JOUR

T1 - Automated Responsible Disclosure of Security Vulnerabilities

AU - Lisi, Andrea

AU - Mukherjee, Prateeti

AU - Santis, Laura De

AU - Wu, Lei

AU - Lagutin, Dmitrij

AU - Kortesniemi, Yki

N1 - | openaire: EC/H2020/779984/EU//SOFIE

PY - 2021/11/8

Y1 - 2021/11/8

N2 - The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.

AB - The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.

KW - Distributed ledger

KW - Privacy

KW - Computer bugs

KW - Smart contracts

KW - Public transportation

KW - Prototypes

KW - Peer-to-peer computing

UR - https://www.scopus.com/pages/publications/85124204838

U2 - 10.1109/ACCESS.2021.3126401

DO - 10.1109/ACCESS.2021.3126401

M3 - Article

SN - 2169-3536

VL - 10

SP - 10472

EP - 10489

JO - IEEE Access

JF - IEEE Access

ER -

Automated Responsible Disclosure of Security Vulnerabilities

Abstrakti

YK:n kestävän kehityksen tavoitteet

Pääsy asiakirjaan

Muut tiedostot ja linkit

Sormenjälki

Projektit

SOFIE: Secure Open Federation for Internet Everywhere

Siteeraa tätä