Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue
CoRR(2023)
摘要
It is a public secret that doing email securely is fraught with challenges.
We found a vulnerability present at many email providers, allowing us to spoof
email on behalf of many organisations. As email vulnerabilities are ten a
penny, instead of focusing on yet another email vulnerability we ask a
different question: how do organisations react to the disclosure of such a
security issue in the wild? We specifically focus on organisations from the
public and critical infrastructure sector who are required to respond to such
notifications by law. We find that many organisations are difficult to reach
when it concerns security issues, even if they have a security contact point.
Additionally, our findings show that having policy in place improves the
response and resolution rate, but that even with a policy in place, half of our
reports remain unanswered and unsolved after 90~days. Based on these findings
we provide recommendations to organisations and bodies such as ENISA to improve
future coordinated vulnerability disclosure processes.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要