research-article

Vulnerability Disclosure Considered Stressful

Authors:
Giovane C. M. Moura

SIDN Labs and TU Delft, Arnhem and Delft, The Netherlands

SIDN Labs and TU Delft, Arnhem and Delft, The Netherlands
View Profile

,
John Heidemann

USC/ISI and CS Dept., Los Angeles, California, USA

USC/ISI and CS Dept., Los Angeles, California, USA
View Profile

Authors Info & Claims

ACM SIGCOMM Computer Communication Review Volume 53 Issue 2April 2023pp 2–10https://doi.org/10.1145/3610381.3610383

Published:19 July 2023Publication History

ACM SIGCOMM Computer Communication Review

Abstract

Vulnerability disclosure is a widely recognized practice in the software industry, but there is a lack of literature detailing the firsthand experiences of researchers who have gone through the process. This work aims to bridge that gap by sharing our personal experience of accidentally discovering a DNS vulnerability and navigating the vulnerability disclosure process for the first time. We document our mistakes and highlight the important lessons we learned, such as the fact that public disclosure can be effective but can also be more time-consuming and emotionally taxing than anticipated. Additionally, we discuss the ethical considerations and potential consequences that may arise during each step of the disclosure process. Lastly, drawing from our own experiences, we identify and discuss issues with the current disclosure process and propose recommendations for its improvement. Our ultimate aim is to provide valuable insights to fellow researchers who may encounter similar challenges in the future and contribute to the enhancement of the overall disclosure process for the benefit of the wider community.

References

ACM. 2023. ACM Code of Ethics and Professional Conduct. https://www.acm.org/code-of-ethicsGoogle Scholar
ACM. 2023. CISA Coordinated Vulnerability Disclosure (CVD) Process. https://www.cisa.gov/coordinated-vulnerability-disclosure-processGoogle Scholar
Abdullah M Algarni and Yashwant K Malaiya. 2014. Software vulnerability markets: Discoverers and buyers. International Journal of Computer and Information Engineering 8, 3 (2014), 480--490.Google Scholar
Ashish Arora, Anand Nandkumar, and Rahul Telang. 2006. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers 8, 5 (2006), 350--362.Google ScholarDigital Library
A. Arora and R. Telang. 2005. Economics of software vulnerability disclosure. IEEE Security & Privacy 3, 1 (2005), 20--25. Google ScholarDigital Library
Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (feb 2010), 66--75. Google ScholarDigital Library
ISC BIND. 2021. TsuNAME DNS Vulnerability and BIND 9. https://www.isc.org/blogs/2021_tsuname_vulnerability/.Google Scholar
Randy Bush. 2021. it's a shame that cycle prevention was not in the early DNS RFCs. oh wait! it was. https://twitter.com/enoclue/status/1390388281020321793.Google Scholar
Randy Bush. 2021. possible rsync validation dos vulns. https://mailman.nanog.org/pipermail/nanog/2021-October/216309.html.Google Scholar
cert.gov. 2021. Vulnerability Disclosure Policy. https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy.Google Scholar
Orçun Çetin, Carlos Ganán, Lisette Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying Tie, Katsunari Yoshioka, and Michel Van Eeten. 2019. Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai.. In Proceedings of the 26th Annual Symposium on Network and Distributed System Security (NDSS '19).Google ScholarCross Ref
MITRE Corporation. 2022. CVE. https://cve.org/.Google Scholar
MITRE Corporation. 2022. CVE List Downloads. https://cve.org/Downloads.Google Scholar
DNS OARC. 2021. Introduction to DNS-OARC. https://www.dns-oarc.net.Google Scholar
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada) (IMC '14). Association for Computing Machinery, New York, NY, USA, 475--488.Google ScholarDigital Library
Serge Egelman, Cormac Herley, and Paul C. van Oorschot. 2013. Markets for Zero-Day Exploits: Ethics and Implications. In Proceedings of the 2013 New Security Paradigms Workshop (Banff, Alberta, Canada) (NSPW '13). Association for Computing Machinery, New York, NY, USA, 41--46. Google ScholarDigital Library
Batya Friedman, David G. Hendry, and Alan Borning. 2017. A Survey of Value Sensitive Design Methods. Foundations and Trends® in Human-Computer Interaction 11, 2 (2017), 63--125. Google ScholarDigital Library
Giovane Moura. 2021. OARC Members Only Session: Vulnerability Disclosure (DDoS). https://indico.dns-oarc.net/event/37/contributions/821/.Google Scholar
Giovane Moura. 2021. Public Disclosure DNS vulnerability. https://indico.dns-oarc.net/event/38/contributions/849/.Google Scholar
Google. 2022. Google and Alphabet Vulnerability Reward Program (VRP) Rules. https://bughunters.google.com/about/rules/6625378258649088/google-and-alphabet-vulnerability-reward-program-vrp-rules.Google Scholar
Google. 2022. Google Public DNS. https://developers.google.com/speed/public-dns/Google Scholar
Google Developers. 2023. Issue Tracker Concepts. Website. https://developers.google.com/issue-tracker/concepts/issuesGoogle Scholar
Google Project Zero. 2021. Vulnerability Disclosure FAQ. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html.Google Scholar
HackerOne. 2022. #1 Trusted Security Platform and Hacker Program. https://www.hackerone.com/Google Scholar
Raphael Hiesgen, Marcin Nawrocki, Thomas C. Schmidt, and Matthias Wählisch. 2022. The Race to the Vulnerable: Measuring the Log4j Shell Incident. In In Proc. of Network Traffic Measurement and Analysis Conference (TMA '22) (Enschede, The Netherlands). IFIP.Google Scholar
P. Hoffman, A. Sullivan, and K. Fujiwara. 2018. DNS Terminology. RFC 8499. IETF. http://tools.ietf.org/rfc/rfc8499.txtGoogle Scholar
Allen D Householder, Garret Wassermann, Art Manion, and Chris King. 2017. The CERT Guide to Coordinated Vulnerability Disclosure. Technical Report. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States. https://resources.sei.cmu.edu/asset_files/specialreport/2017_003_001_503340.pdfGoogle Scholar
IEEE. 2023. 7.8 IEEE Code of Ethics. https://www.ieee.org/about/corporate/governance/p7-8.htmlGoogle Scholar
ISO/IEC. 2018. ISO/IEC 29147:2018 - Information technology --- Security techniques --- Vulnerability disclosure. Technical Report. ISO. https://www.iso.org/standard/72311.htmlGoogle Scholar
A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. 1993. Common DNS Implementation Errors and Suggested Fixes. RFC 1536. IETF. http://tools.ietf.org/rfc/rfc1536.txtGoogle Scholar
David McKinney. 2007. Vulnerability Bazaar. IEEE Security & Privacy 5, 6 (2007), 69--73. Google ScholarDigital Library
P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. IETF. http://tools.ietf.org/rfc/rfc1034.txtGoogle Scholar
P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. IETF. http://tools.ietf.org/rfc/rfc1035.txtGoogle Scholar
Giovane Moura, Wes Hardaker, John Heidemann, and Sebastian Castro. 2021. Negative Caching of Looping NS records. Internet-Draft draft-moura-dnsop-negative-cache-loop-00. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-moura-dnsop-negative-cache-loop/00/ Work in Progress.Google Scholar
Giovane C. M. Moura. Nov 22, 2021. Responsible Disclosure. https://ripe83.ripe.net/archives/video/625/Google Scholar
Giovane C. M. Moura, Sebastian Castro, Wes Hardaker, Maarten Wullink, and Cristian Hesselman. 2020. Clouding up the Internet: How Centralized is DNS Traffic Becoming?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 42--49.Google ScholarDigital Library
Giovane C. M. Moura, Sebastian Castro, John Heidemann, and Wes Hardaker. 2021. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. In Proceedings of the ACM Internet Measurement Conference. ACM, Virtual, 398--418. Google ScholarDigital Library
Lisa P. Nathan, Batya Friedman, Predrag Klasnja, Shaun K. Kane, and Jessica K. Miller. 2008. Envisioning systemic effects on persons and society throughout interactive system design. In Proceedings of the 7th ACM conference on Designing interactive systems (Cape Town, South Africa) (DIS '08). ACM, New York, NY, USA, 1--10. Google ScholarDigital Library
NCSC-NL. 2018. Coordinated Vulnerability Disclosure the Guideline. Technical Report. National Cybersecurity Center (NCSC-NL). https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guidelineGoogle Scholar
NLnetLabs. 2021. tsuNAME vulnerability and Unbound. https://nlnetlabs.nl/news/2021/May/10/tsuname-vulnerability-and-unbound/.Google Scholar
OpenDNS. 2021. Setup Guide: OpenDNS. https://www.opendns.com/. https://www.opendns.com/Google Scholar
Nicole Perlroth. 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. New York Times (Oct. 22 2016), A1. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.htmlGoogle Scholar
Nicole Perlroth and David E. Sanger. 2013. Nations Buying as Hackers Sell Flaws in Computer Code. New York Times (Jul. 13 2013). https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.htmlGoogle Scholar
PowerDNS. 2021. TsuNAME vulnerability and PowerDNS Recursor. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/.Google Scholar
Dennis Reidsma, Jeroen van der Ham, and Andrea Continella. 2023. Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines to Practice. In Proceedings EthiCS 2023. Internet Society. 2nd International Workshop on Ethics in Computer Security, EthiCS 2023, EthiCS; Conference date: 27-02-2023 Through 27-02-2023. Google ScholarCross Ref
E. Rescorla. 2005. Is finding security holes a good idea? IEEE Security & Privacy 3, 1 (2005), 14--19. Google ScholarDigital Library
Bruce Schneier. 2007. Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'. https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.htmlGoogle Scholar
Matthew Rosenberg Scott Shane and Andrew W. Lehren. 2017. WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents. New York Times (Mar. 7 2017). https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.htmlGoogle Scholar
R. Shirey. 2007. Internet Security Glossary, Version 2. RFC 4949. IETF. http://tools.ietf.org/rfc/rfc4949.txtGoogle Scholar
FIRST Ethics special interest. 2023. Ethics for Incident Response and Security Teams. https://ethicsfirst.org/.Google Scholar
Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn't you hear me?---Towards more successful web vulnerability notifications. (2018).Google Scholar
MSRC Ecosystem Strategy Team. 2010. Coordinated Vulnerability Disclosure: Bringing Balance to the Force. Technical Report. Microsoft. https://learn.microsoft.com/en-us/archive/blogs/ecostrat/coordinated-vulnerability-disclosure-bringing-balance-to-the-forceGoogle Scholar
Vlad Tsyrklevich. 2015. Hacking Team: a zero-day market case study. https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/.Google Scholar
University of Twente. 2023. Coordinated Vunerability Disclosure. Website. https://www.utwente.nl/en/eemcs/research/ethics/coordinated-vulnerability-disclosure/Google Scholar
Daniel Votipka, Rock Stevens, Elissa Redmiles, Jeremy Hu, and Michelle Mazurek. 2018. Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes. In 2018 IEEE Symposium on Security and Privacy (SP). 374--391. Google ScholarCross Ref
ZERODIUM. 2022. The Premium Exploit Acquisition Platform. https:/zerodium.com.Google Scholar
Mingyi Zhao, Jens Grossklags, and Peng Liu. 2015. An Empirical Study of Web Vulnerability Discovery Ecosystems. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 1105--1117. Google ScholarDigital Library

Index Terms

Vulnerability Disclosure Considered Stressful
1. Networks
  1. Network protocols
    1. Application layer protocols
2. Security and privacy

Recommendations

Economics of Software Vulnerability Disclosure

Information security breaches frequently exploit software flaws or vulnerabilities, causing significant economic losses. Considerable debate and disagreement exist about how to disclose vulnerabilities to the public. A theoretical framework helps ...
Read More
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis

Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we ...
Read More
New Hurdles for Vulnerability Disclosure

Vulnerability disclosure is an important part of information security. In recent years, vulnerabilities in specific Web sites and SCADA implementations have created new hurdles for vulnerability disclosure. These aspects of information security have ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 53, Issue 2
April 2023
45 pages
ISSN:0146-4833
DOI:10.1145/3610381
Editor:
Steve Uhlig
Queen Mary, Univ. of London
Issue’s Table of Contents
Copyright © 2023 Copyright is held by the owner/author(s)
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 19 July 2023
Check for updates
Author Tags
coordinated vulnerability disclosure
denial-of-service attacks
software vulnerability
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 118
  Total Downloads
- Downloads (Last 12 months)118
- Downloads (Last 6 weeks)34
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Vulnerability Disclosure Considered Stressful

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

Economics of Software Vulnerability Disclosure

Does information security attack frequency increase with vulnerability disclosure? An empirical analysis

New Hurdles for Vulnerability Disclosure