Frank Li, University of California, Berkeley; Zakir Durumeric, University of Michigan, University of Illinois at Urbana–Champaign, and International Computer Science Institute; Jakub Czyz, University of Michigan; Mohammad Karami, George Mason University; Michael Bailey, University of Illinois at Urbana–Champaign; Damon McCoy, New York University; Stefan Savage, University of California, San Diego; Vern Paxson, University of California, Berkeley, and International Computer Science Institute
Abstract:
Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy. The vulnerabilities used to drive our study span a range of protocols and considerations: exposure of industrial control systems; apparent firewall omissions for IPv6-based services; and exploitation of local systems in DDoS amplification attacks. We monitored vulnerable systems for several weeks to determine their rate of remediation. By comparing with experimental controls, we analyze the impact of a number of variables: choice of party to contact (WHOIS abuse contacts versus national CERTs versus US-CERT), message verbosity, hosting an information website linked to in the message, and translating the message into the notified party’s local language. We also assess the outcome of the emailing process itself (bounces, automated replies, human replies, silence) and characterize the sentiments and perspectives expressed in both the human replies and an optional anonymous survey that accompanied our notifications.
We find that various notification regimens do result in different outcomes. The best observed process was directly notifying WHOIS contacts with detailed information in the message itself. These notifications had a statistically significant impact on improving remediation, and human replies were largely positive. However, the majority of notified contacts did not take action, and even when they did, remediation was often only partial. Repeat notifications did not further patching. These results are promising but ultimately modest, behooving the security community to more deeply investigate ways to improve the effectiveness of vulnerability notifications.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {197270,
author = {Frank Li and Zakir Durumeric and Jakub Czyz and Mohammad Karami and Michael Bailey and Damon McCoy and Stefan Savage and Vern Paxson},
title = {You{\textquoteright}ve Got Vulnerability: Exploring Effective Vulnerability Notifications},
booktitle = {25th USENIX Security Symposium (USENIX Security 16)},
year = {2016},
isbn = {978-1-931971-32-4},
address = {Austin, TX},
pages = {1033--1050},
url = {https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/li},
publisher = {USENIX Association},
month = aug
}
Twitter
Facebook
LinkedIn
Google+
YouTube
connect with us