Journal article
Coordinated vulnerability disclosure programme effectiveness: issues and recommendations
- Abstract:
- Coordinated Vulnerability Disclosure (CVD) programmes leverage a global network of independent security researchers (hackers) to support pre- and post-deployment security. Organisations are increasingly adopting Bug Bounty Programmes (BBPs) and Vulnerability Disclosure Programmes (VDPs) to outsource work from internal security teams, and are able to utilise the results from a programme to help shape their Software Development Life Cycle (SDLC) processes. Motivated by the question How effectively are organisations utilising CVD programmes?, we aim to address two issues concerning the operation of CVD programmes. First, it is necessary to identify the pre- and post-launch issues faced by programme operators that inhibit effective operation. Second, organisations stand to benefit if they are able to use the results of a CVD programme outside of the typical reporting-triaging information flow between a hacker and the operator. As such, it is useful to explore how the results of a CVD programme influence change across the SDLCs of real-world organisations and measure the extent to which this occurs. We report upon the results of a qualitative study based on the outcomes of 39 survey responses and eight semi-structured interviews with individuals involved in the operation of CVD programmes. It is found that the fears and issues faced by organisations are similar to those identified in earlier studies, suggesting that there has been little development in preventing prevalent problems faced by CVD programme operators. High volumes of low-quality, low-value reports still burden operators and consume resources. It is also found that organisations use the information contained within vulnerability reports to influence change in a number of security activities, namely testing, communication processes, and the specification of security requirements. Finally, based on the responses from the surveys and interviews, we provide recommendations to those looking to establish a CVD programme.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Version of record, pdf, 1.3MB, Terms of use)
-
- Publisher copy:
- 10.1016/j.cose.2022.102936
Authors
- Publisher:
- Elsevier
- Journal:
- Computers and Security More from this journal
- Volume:
- 123
- Article number:
- 102936
- Publication date:
- 2022-09-27
- Acceptance date:
- 2022-09-25
- DOI:
- ISSN:
-
0167-4048
- Language:
-
English
- Keywords:
- Pubs id:
-
1281416
- Local pid:
-
pubs:1281416
- Deposit date:
-
2022-10-04
Terms of use
- Copyright holder:
- Walshe and Simpson
- Copyright date:
- 2022
- Rights statement:
- © 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)
- Licence:
- CC Attribution (CC BY)
If you are the owner of this record, you can report an update to it here: Report update to this record