Vulnerability Disclosure Considered Stressful

IF 2.2 4区 计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS ACM Sigcomm Computer Communication Review Pub Date : 2023-07-19 DOI:https://dl.acm.org/doi/10.1145/3610381.3610383
Giovane C. M. Moura, John Heidemann
{"title":"Vulnerability Disclosure Considered Stressful","authors":"Giovane C. M. Moura, John Heidemann","doi":"https://dl.acm.org/doi/10.1145/3610381.3610383","DOIUrl":null,"url":null,"abstract":"<p>Vulnerability disclosure is a widely recognized practice in the software industry, but there is a lack of literature detailing the firsthand experiences of researchers who have gone through the process. This work aims to bridge that gap by sharing our personal experience of accidentally discovering a DNS vulnerability and navigating the vulnerability disclosure process for the first time. We document our mistakes and highlight the important lessons we learned, such as the fact that public disclosure can be effective but can also be more time-consuming and emotionally taxing than anticipated. Additionally, we discuss the ethical considerations and potential consequences that may arise during each step of the disclosure process. Lastly, drawing from our own experiences, we identify and discuss issues with the current disclosure process and propose recommendations for its improvement. Our ultimate aim is to provide valuable insights to fellow researchers who may encounter similar challenges in the future and contribute to the enhancement of the overall disclosure process for the benefit of the wider community.</p>","PeriodicalId":50646,"journal":{"name":"ACM Sigcomm Computer Communication Review","volume":"373 1","pages":""},"PeriodicalIF":2.2000,"publicationDate":"2023-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Sigcomm Computer Communication Review","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3610381.3610383","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Vulnerability disclosure is a widely recognized practice in the software industry, but there is a lack of literature detailing the firsthand experiences of researchers who have gone through the process. This work aims to bridge that gap by sharing our personal experience of accidentally discovering a DNS vulnerability and navigating the vulnerability disclosure process for the first time. We document our mistakes and highlight the important lessons we learned, such as the fact that public disclosure can be effective but can also be more time-consuming and emotionally taxing than anticipated. Additionally, we discuss the ethical considerations and potential consequences that may arise during each step of the disclosure process. Lastly, drawing from our own experiences, we identify and discuss issues with the current disclosure process and propose recommendations for its improvement. Our ultimate aim is to provide valuable insights to fellow researchers who may encounter similar challenges in the future and contribute to the enhancement of the overall disclosure process for the benefit of the wider community.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
被认为有压力的漏洞披露
在软件行业中,漏洞披露是一种被广泛认可的做法,但缺乏详细描述研究人员经历这一过程的第一手经验的文献。这项工作旨在通过分享我们偶然发现DNS漏洞的个人经验和第一次导航漏洞披露过程来弥合这一差距。我们记录了我们的错误,并强调了我们吸取的重要教训,比如公开披露可能是有效的,但也可能比预期的更耗时、更耗感情。此外,我们还讨论了在披露过程的每个步骤中可能出现的道德考虑和潜在后果。最后,根据自己的经验,我们发现并讨论了当前披露过程中存在的问题,并提出了改进建议。我们的最终目标是为未来可能遇到类似挑战的研究人员提供有价值的见解,并为加强整体披露过程做出贡献,以造福于更广泛的社区。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
ACM Sigcomm Computer Communication Review
ACM Sigcomm Computer Communication Review 工程技术-计算机:信息系统
CiteScore
6.90
自引率
3.60%
发文量
20
审稿时长
4-8 weeks
期刊介绍: Computer Communication Review (CCR) is an online publication of the ACM Special Interest Group on Data Communication (SIGCOMM) and publishes articles on topics within the SIG''s field of interest. Technical papers accepted to CCR typically report on practical advances or the practical applications of theoretical advances. CCR serves as a forum for interesting and novel ideas at an early stage in their development. The focus is on timely dissemination of new ideas that may help trigger additional investigations. While the innovation and timeliness are the major criteria for its acceptance, technical robustness and readability will also be considered in the review process. We particularly encourage papers with early evaluation or feasibility studies.
期刊最新文献
The I/O Driven Server: From SmartNICs to Data Movement Controllers On Integrating eBPF into Pluginized Protocols Can We Save the Public Internet? The October 2023 Issue Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1