The Effects of Vulnerability Disclosure Policy on the Diffusion of Security Attacks
نویسندگان
چکیده
With the nearly instantaneous spread of information in modern society, policies regarding the disclosure of information about security vulnerabilities have become the focus of significant discussion. The fundamental debate centers on tradeoffs inherent in disclosing information that security professionals need, but that can also be used for nefarious purposes. Our empirical study compares attacks based on software vulnerabilities disclosed through full disclosure and limited disclosure mechanisms. We find that full disclosure accelerates the diffusion of attacks and increases the risk of first attack after the vulnerability is reported. Building off our theoretical insights, we discuss the implications of our findings on information disclosure in more general contexts.
منابع مشابه
The Disclosure and Diffusion of Security Information
With the nearly instantaneous dissemination of information in the modern era, policies regarding the disclosure of sensitive information have become the focus of significant discussion in several contexts. The fundamental debate centers on tradeoffs inherent in disclosing information that society needs, but that can also be used for nefarious purposes. Using information security as a research c...
متن کاملDoes information security attack frequency increase with vulnerability disclosure? An empirical analysis
Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software vulnerability has...
متن کاملImpact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis
Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant disclosure, and those of limited or no disclosure. This paper is an attempt to empirically test the impact of vulnerability information disclosure and availability of patches on attackers’ tendency to exploit vulnerabilities on one hand and on th...
متن کاملA note on the security of two improved RFID protocols
Recently, Baghery et al. [1, 2] presented some attacks on two RFID protocols, namely Yoon and Jung et al. protocols, and proposed the improved version of them. However, in this note, we show that the improved version of the Jung et al. protocol suffers from desynchronization attack and the improved version of the Yoon's protocol suffers from secret disclosure attack. The succe...
متن کاملAnalysis of update delays in signature-based network intrusion detection systems
Network Intrusion Detection Systems (NIDS) play a fundamental role on security policy deployment and help organizations in protecting their assets from network attacks. Signature-based NIDS rely on a set of known patterns to match malicious traffic. Accordingly, they are unable to detect a specific attack until a specific signature for the corresponding vulnerability is created, tested, release...
متن کامل