CISPA
Browse
cispa_all_1190.pdf (461.5 kB)

Didn't You Hear Me? --- Towards More Successful Web Vulnerability Notifications

Download (461.5 kB)
conference contribution
posted on 2023-11-29, 18:07 authored by Ben StockBen Stock, Giancarlo PellegrinoGiancarlo Pellegrino, Frank Li, Michael BackesMichael Backes, Christian RossowChristian Rossow
After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. To that end, we report on a notification experiment targeting more than 24,000 domains, which allowed us to analyze what technical and human aspects are roadblocks to a successful campaign. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. However, our exploration of alternative communication channels did not suggest a more promising medium. Seeing these results, we pinpoint future directions in improving security notifications.

History

Preferred Citation

Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes and Christian Rossow. Didn't You Hear Me? --- Towards More Successful Web Vulnerability Notifications. In: Network and Distributed System Security Symposium (NDSS). 2018.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Legacy Posted Date

2017-11-29

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_1190, title = "Didn't You Hear Me? --- Towards More Successful Web Vulnerability Notifications", author = "Stock, Ben and Pellegrino, Giancarlo and Li, Frank and Backes, Michael and Rossow, Christian", booktitle="{Network and Distributed System Security Symposium (NDSS)}", year="2018", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC