A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

Jukka Ruohonen; Sami Hyrynsalmi; Ville Leppänen

doi:10.1016/j.chb.2019.09.028

A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

Jukka Ruohonen, Sami Hyrynsalmi, Ville Leppänen

Computing Sciences

Research output: Contribution to journal › Article › Scientific › peer-review

10 Citations (Scopus)

Abstract

Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

Original language	English
Pages (from-to)	161-173
Journal	Computers in Human Behavior
Volume	103
Early online date	25 Sept 2019
DOIs	https://doi.org/10.1016/j.chb.2019.09.028
Publication status	Published - Feb 2020
Publication type	A1 Journal article-refereed

Publication forum classification

Publication forum level 2

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1016/j.chb.2019.09.028

Cite this

@article{34db7dd6875648dfa14c36f2777e34a9,

title = "A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities",

abstract = "Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers{\textquoteright} reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.",

author = "Jukka Ruohonen and Sami Hyrynsalmi and Ville Lepp{\"a}nen",

year = "2020",

month = feb,

doi = "10.1016/j.chb.2019.09.028",

language = "English",

volume = "103",

pages = "161--173",

journal = "Computers in Human Behavior",

issn = "0747-5632",

publisher = "Elsevier",

}

TY - JOUR

T1 - A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

AU - Ruohonen, Jukka

AU - Hyrynsalmi, Sami

AU - Leppänen, Ville

PY - 2020/2

Y1 - 2020/2

N2 - Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

AB - Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

U2 - 10.1016/j.chb.2019.09.028

DO - 10.1016/j.chb.2019.09.028

M3 - Article

SN - 0747-5632

VL - 103

SP - 161

EP - 173

JO - Computers in Human Behavior

JF - Computers in Human Behavior

ER -

A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

Abstract

Publication forum classification

UN SDGs

Access to Document

Fingerprint

Cite this