You’ve got vulnerability: Exploring effective vulnerability notifications

Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, Vern Paxson

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy. The vulnerabilities used to drive our study span a range of protocols and considerations: exposure of industrial control systems; apparent firewall omissions for IPv6-based services; and exploitation of local systems in DDoS amplification attacks. We monitored vulnerable systems for several weeks to determine their rate of remediation. By comparing with experimental controls, we analyze the impact of a number of variables: choice of party to contact (WHOIS abuse contacts versus national CERTs versus US-CERT), message verbosity, hosting an information website linked to in the message, and translating the message into the notified party’s local language. We also assess the outcome of the emailing process itself (bounces, automated replies, human replies, silence) and characterize the sentiments and perspectives expressed in both the human replies and an optional anonymous survey that accompanied our notifications. We find that various notification regimens do result in different outcomes. The best observed process was directly notifying WHOIS contacts with detailed information in the message itself. These notifications had a statistically significant impact on improving remediation, and human replies were largely positive. However, the majority of notified contacts did not take action, and even when they did, remediation was often only partial. Repeat notifications did not further patching. These results are promising but ultimately modest, behooving the security community to more deeply investigate ways to improve the effectiveness of vulnerability notifications.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 25th USENIX Security Symposium
    PublisherUSENIX Association
    Pages1033-1050
    Number of pages18
    ISBN (Electronic)9781931971324
    StatePublished - Jan 1 2016
    Event25th USENIX Security Symposium - Austin, United States
    Duration: Aug 10 2016Aug 12 2016

    Publication series

    NameProceedings of the 25th USENIX Security Symposium

    Conference

    Conference25th USENIX Security Symposium
    CountryUnited States
    CityAustin
    Period8/10/168/12/16

      Fingerprint

    ASJC Scopus subject areas

    • Information Systems
    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Cite this

    Li, F., Durumeric, Z., Czyz, J., Karami, M., Bailey, M., McCoy, D., Savage, S., & Paxson, V. (2016). You’ve got vulnerability: Exploring effective vulnerability notifications. In Proceedings of the 25th USENIX Security Symposium (pp. 1033-1050). (Proceedings of the 25th USENIX Security Symposium). USENIX Association.