Abstract
Vulnerability disclosure is a widely recognized practice in the software industry, but there is a lack of literature detailing the firsthand experiences of researchers who have gone through the process. This work aims to bridge that gap by sharing our personal experience of accidentally discovering a DNS vulnerability and navigating the vulnerability disclosure process for the first time. We document our mistakes and highlight the important lessons we learned, such as the fact that public disclosure can be effective but can also be more time-consuming and emotionally taxing than anticipated. Additionally, we discuss the ethical considerations and potential consequences that may arise during each step of the disclosure process. Lastly, drawing from our own experiences, we identify and discuss issues with the current disclosure process and propose recommendations for its improvement. Our ultimate aim is to provide valuable insights to fellow researchers who may encounter similar challenges in the future and contribute to the enhancement of the overall disclosure process for the benefit of the wider community.
- ACM. 2023. ACM Code of Ethics and Professional Conduct. https://www.acm.org/code-of-ethicsGoogle Scholar
- ACM. 2023. CISA Coordinated Vulnerability Disclosure (CVD) Process. https://www.cisa.gov/coordinated-vulnerability-disclosure-processGoogle Scholar
- Abdullah M Algarni and Yashwant K Malaiya. 2014. Software vulnerability markets: Discoverers and buyers. International Journal of Computer and Information Engineering 8, 3 (2014), 480--490.Google Scholar
- Ashish Arora, Anand Nandkumar, and Rahul Telang. 2006. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers 8, 5 (2006), 350--362.Google ScholarDigital Library
- A. Arora and R. Telang. 2005. Economics of software vulnerability disclosure. IEEE Security & Privacy 3, 1 (2005), 20--25. Google ScholarDigital Library
- Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (feb 2010), 66--75. Google ScholarDigital Library
- ISC BIND. 2021. TsuNAME DNS Vulnerability and BIND 9. https://www.isc.org/blogs/2021_tsuname_vulnerability/.Google Scholar
- Randy Bush. 2021. it's a shame that cycle prevention was not in the early DNS RFCs. oh wait! it was. https://twitter.com/enoclue/status/1390388281020321793.Google Scholar
- Randy Bush. 2021. possible rsync validation dos vulns. https://mailman.nanog.org/pipermail/nanog/2021-October/216309.html.Google Scholar
- cert.gov. 2021. Vulnerability Disclosure Policy. https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy.Google Scholar
- Orçun Çetin, Carlos Ganán, Lisette Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying Tie, Katsunari Yoshioka, and Michel Van Eeten. 2019. Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai.. In Proceedings of the 26th Annual Symposium on Network and Distributed System Security (NDSS '19).Google ScholarCross Ref
- MITRE Corporation. 2022. CVE. https://cve.org/.Google Scholar
- MITRE Corporation. 2022. CVE List Downloads. https://cve.org/Downloads.Google Scholar
- DNS OARC. 2021. Introduction to DNS-OARC. https://www.dns-oarc.net.Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada) (IMC '14). Association for Computing Machinery, New York, NY, USA, 475--488.Google ScholarDigital Library
- Serge Egelman, Cormac Herley, and Paul C. van Oorschot. 2013. Markets for Zero-Day Exploits: Ethics and Implications. In Proceedings of the 2013 New Security Paradigms Workshop (Banff, Alberta, Canada) (NSPW '13). Association for Computing Machinery, New York, NY, USA, 41--46. Google ScholarDigital Library
- Batya Friedman, David G. Hendry, and Alan Borning. 2017. A Survey of Value Sensitive Design Methods. Foundations and Trends® in Human-Computer Interaction 11, 2 (2017), 63--125. Google ScholarDigital Library
- Giovane Moura. 2021. OARC Members Only Session: Vulnerability Disclosure (DDoS). https://indico.dns-oarc.net/event/37/contributions/821/.Google Scholar
- Giovane Moura. 2021. Public Disclosure DNS vulnerability. https://indico.dns-oarc.net/event/38/contributions/849/.Google Scholar
- Google. 2022. Google and Alphabet Vulnerability Reward Program (VRP) Rules. https://bughunters.google.com/about/rules/6625378258649088/google-and-alphabet-vulnerability-reward-program-vrp-rules.Google Scholar
- Google. 2022. Google Public DNS. https://developers.google.com/speed/public-dns/Google Scholar
- Google Developers. 2023. Issue Tracker Concepts. Website. https://developers.google.com/issue-tracker/concepts/issuesGoogle Scholar
- Google Project Zero. 2021. Vulnerability Disclosure FAQ. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html.Google Scholar
- HackerOne. 2022. #1 Trusted Security Platform and Hacker Program. https://www.hackerone.com/Google Scholar
- Raphael Hiesgen, Marcin Nawrocki, Thomas C. Schmidt, and Matthias Wählisch. 2022. The Race to the Vulnerable: Measuring the Log4j Shell Incident. In In Proc. of Network Traffic Measurement and Analysis Conference (TMA '22) (Enschede, The Netherlands). IFIP.Google Scholar
- P. Hoffman, A. Sullivan, and K. Fujiwara. 2018. DNS Terminology. RFC 8499. IETF. http://tools.ietf.org/rfc/rfc8499.txtGoogle Scholar
- Allen D Householder, Garret Wassermann, Art Manion, and Chris King. 2017. The CERT Guide to Coordinated Vulnerability Disclosure. Technical Report. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States. https://resources.sei.cmu.edu/asset_files/specialreport/2017_003_001_503340.pdfGoogle Scholar
- IEEE. 2023. 7.8 IEEE Code of Ethics. https://www.ieee.org/about/corporate/governance/p7-8.htmlGoogle Scholar
- ISO/IEC. 2018. ISO/IEC 29147:2018 - Information technology --- Security techniques --- Vulnerability disclosure. Technical Report. ISO. https://www.iso.org/standard/72311.htmlGoogle Scholar
- A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. 1993. Common DNS Implementation Errors and Suggested Fixes. RFC 1536. IETF. http://tools.ietf.org/rfc/rfc1536.txtGoogle Scholar
- David McKinney. 2007. Vulnerability Bazaar. IEEE Security & Privacy 5, 6 (2007), 69--73. Google ScholarDigital Library
- P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. IETF. http://tools.ietf.org/rfc/rfc1034.txtGoogle Scholar
- P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. IETF. http://tools.ietf.org/rfc/rfc1035.txtGoogle Scholar
- Giovane Moura, Wes Hardaker, John Heidemann, and Sebastian Castro. 2021. Negative Caching of Looping NS records. Internet-Draft draft-moura-dnsop-negative-cache-loop-00. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-moura-dnsop-negative-cache-loop/00/ Work in Progress.Google Scholar
- Giovane C. M. Moura. Nov 22, 2021. Responsible Disclosure. https://ripe83.ripe.net/archives/video/625/Google Scholar
- Giovane C. M. Moura, Sebastian Castro, Wes Hardaker, Maarten Wullink, and Cristian Hesselman. 2020. Clouding up the Internet: How Centralized is DNS Traffic Becoming?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 42--49.Google ScholarDigital Library
- Giovane C. M. Moura, Sebastian Castro, John Heidemann, and Wes Hardaker. 2021. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. In Proceedings of the ACM Internet Measurement Conference. ACM, Virtual, 398--418. Google ScholarDigital Library
- Lisa P. Nathan, Batya Friedman, Predrag Klasnja, Shaun K. Kane, and Jessica K. Miller. 2008. Envisioning systemic effects on persons and society throughout interactive system design. In Proceedings of the 7th ACM conference on Designing interactive systems (Cape Town, South Africa) (DIS '08). ACM, New York, NY, USA, 1--10. Google ScholarDigital Library
- NCSC-NL. 2018. Coordinated Vulnerability Disclosure the Guideline. Technical Report. National Cybersecurity Center (NCSC-NL). https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guidelineGoogle Scholar
- NLnetLabs. 2021. tsuNAME vulnerability and Unbound. https://nlnetlabs.nl/news/2021/May/10/tsuname-vulnerability-and-unbound/.Google Scholar
- OpenDNS. 2021. Setup Guide: OpenDNS. https://www.opendns.com/. https://www.opendns.com/Google Scholar
- Nicole Perlroth. 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. New York Times (Oct. 22 2016), A1. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.htmlGoogle Scholar
- Nicole Perlroth and David E. Sanger. 2013. Nations Buying as Hackers Sell Flaws in Computer Code. New York Times (Jul. 13 2013). https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.htmlGoogle Scholar
- PowerDNS. 2021. TsuNAME vulnerability and PowerDNS Recursor. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/.Google Scholar
- Dennis Reidsma, Jeroen van der Ham, and Andrea Continella. 2023. Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines to Practice. In Proceedings EthiCS 2023. Internet Society. 2nd International Workshop on Ethics in Computer Security, EthiCS 2023, EthiCS; Conference date: 27-02-2023 Through 27-02-2023. Google ScholarCross Ref
- E. Rescorla. 2005. Is finding security holes a good idea? IEEE Security & Privacy 3, 1 (2005), 14--19. Google ScholarDigital Library
- Bruce Schneier. 2007. Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'. https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.htmlGoogle Scholar
- Matthew Rosenberg Scott Shane and Andrew W. Lehren. 2017. WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents. New York Times (Mar. 7 2017). https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.htmlGoogle Scholar
- R. Shirey. 2007. Internet Security Glossary, Version 2. RFC 4949. IETF. http://tools.ietf.org/rfc/rfc4949.txtGoogle Scholar
- FIRST Ethics special interest. 2023. Ethics for Incident Response and Security Teams. https://ethicsfirst.org/.Google Scholar
- Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn't you hear me?---Towards more successful web vulnerability notifications. (2018).Google Scholar
- MSRC Ecosystem Strategy Team. 2010. Coordinated Vulnerability Disclosure: Bringing Balance to the Force. Technical Report. Microsoft. https://learn.microsoft.com/en-us/archive/blogs/ecostrat/coordinated-vulnerability-disclosure-bringing-balance-to-the-forceGoogle Scholar
- Vlad Tsyrklevich. 2015. Hacking Team: a zero-day market case study. https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/.Google Scholar
- University of Twente. 2023. Coordinated Vunerability Disclosure. Website. https://www.utwente.nl/en/eemcs/research/ethics/coordinated-vulnerability-disclosure/Google Scholar
- Daniel Votipka, Rock Stevens, Elissa Redmiles, Jeremy Hu, and Michelle Mazurek. 2018. Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes. In 2018 IEEE Symposium on Security and Privacy (SP). 374--391. Google ScholarCross Ref
- ZERODIUM. 2022. The Premium Exploit Acquisition Platform. https:/zerodium.com.Google Scholar
- Mingyi Zhao, Jens Grossklags, and Peng Liu. 2015. An Empirical Study of Web Vulnerability Discovery Ecosystems. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 1105--1117. Google ScholarDigital Library
Index Terms
- Vulnerability Disclosure Considered Stressful
Recommendations
Economics of Software Vulnerability Disclosure
Information security breaches frequently exploit software flaws or vulnerabilities, causing significant economic losses. Considerable debate and disagreement exist about how to disclose vulnerabilities to the public. A theoretical framework helps ...
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis
Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we ...
New Hurdles for Vulnerability Disclosure
Vulnerability disclosure is an important part of information security. In recent years, vulnerabilities in specific Web sites and SCADA implementations have created new hurdles for vulnerability disclosure. These aspects of information security have ...
Comments