You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications

Security researchers can send vulnerability notifications
to take proactive measures in securing systems at scale.
However, the factors affecting a notification’s efficacy
have not been deeply explored. In this paper, we report
on an extensive study of notifying thousands of parties
of security issues present within their networks, with an
aim of illuminating which fundamental aspects of noti-
fications have the greatest impact on efficacy. The vulnerabilities
used to drive our study span a range of protocols
and considerations: exposure of industrial control
systems; apparent firewall omissions for IPv6-based services;
and exploitation of local systems in DDoS ampli-
fication attacks. We monitored vulnerable systems for
several weeks to determine their rate of remediation. By
comparing with experimental controls, we analyze the
impact of a number of variables: choice of party to contact
(WHOIS abuse contacts versus national CERTs versus
US-CERT), message verbosity, hosting an information
website linked to in the message, and translating
the message into the notified party’s local language. We
also assess the outcome of the emailing process itself
(bounces, automated replies, human replies, silence) and
characterize the sentiments and perspectives expressed in
both the human replies and an optional anonymous survey
that accompanied our notifications.
We find that various notification regimens do result
in different outcomes. The best observed process was
directly notifying WHOIS contacts with detailed information
in the message itself. These notifications had
a statistically significant impact on improving remediation,
and human replies were largely positive. However,
the majority of notified contacts did not take action, and
even when they did, remediation was often only partial.
Repeat notifications did not further patching. These results
are promising but ultimately modest, behooving the
security community to more deeply investigate ways to
improve the effectiveness of vulnerability notifications.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s