Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Large-scale discovery of thousands of vulnerable Web
sites has become a frequent event, thanks to recent advances
in security research and the rise in maturity of
Internet-wide scanning tools. The issues related to disclosing
the vulnerability information to the affected parties,
however, have only been treated as a side note in
prior research.
In this paper, we systematically examine the feasibility
and efficacy of large-scale notification campaigns. For
this, we comprehensively survey existing communication
channels and evaluate their usability in an automated
notification process. Using a data set of over 44,000 vulnerable
Web sites, we measure success rates, both with
respect to the total number of fixed vulnerabilities and
to reaching responsible parties, with the following highlevel
results: Although our campaign had a statistically
significant impact compared to a control group, the increase
in the fix rate of notified domains is marginal.
If a notification report is read by the owner of the vulnerable
application, the likelihood of a subsequent resolution
of the issues is sufficiently high: about 40%.
But, out of 35,832 transmitted vulnerability reports, only
2,064 (5.8%) were actually received successfully, resulting
in an unsatisfactory overall fix rate, leaving 74.5%
of Web applications exploitable after our month-long experiment.
Thus, we conclude that currently no reliable
notification channels exist, which significantly inhibits
the success and impact of large-scale notification

Source: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_stock.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s