Automated Responsible Disclosure of Security Vulnerabilities

Andrea Lisi; Prateeti Mukherjee; Laura De Santis; Lei Wu; Dmitrij Lagutin; Yki Kortesniemi

doi:10.1109/ACCESS.2021.3126401

IEEE Access (Jan 2022)

Automated Responsible Disclosure of Security Vulnerabilities

Andrea Lisi,
Prateeti Mukherjee,
Laura De Santis,
Lei Wu,
Dmitrij Lagutin,
Yki Kortesniemi

Affiliations

Andrea Lisi: ORCiD; Department of Computer Science, University of Pisa, Pisa, Italy
Prateeti Mukherjee: Department of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, Finland
Laura De Santis: Department of Industrial Engineering, University of Salerno, Fisciano, Italy
Lei Wu: ORCiD; Department of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, Finland
Dmitrij Lagutin: ORCiD; Department of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, Finland
Yki Kortesniemi: ORCiD; Department of Communications and Networking, School of Electrical Engineering, Aalto University, Aalto, Finland

DOI: https://doi.org/10.1109/ACCESS.2021.3126401
Journal volume & issue: Vol. 10
pp. 10472 – 10489

Abstract

Read online

The disclosure of security vulnerabilities plays an important role in notifying vendors and the public about flaws in digital systems. Among the proposed disclosure approaches, the most utilized is Responsible Disclosure, which still suffers from several disadvantages such as fostering a false sense of security among the end-users, allowing arbitrary delays in the disclosure process, and forcing the party reporting a vulnerability to identify themselves, which has been exploited by vendors through intimidation and malpractice. To address these issues, this paper presents an improved version of the Responsible Disclosure approach called Automated Responsible Disclosure (ARD) - a solution that leverages distributed ledgers and interledger technologies to automate the disclosure process while offering increased security, privacy, and transparency. A prototype implementation has been released as open-source software, and the evaluation of the solution shows that ARD is capable of addressing the key shortcomings in existing solutions and fostering more transparent disclosure practices.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords