<div class="csl-bib-body">
<div class="csl-entry">Chen, T.-H., Tagliaro, C., Lindorfer, M., Borgolte, K., & van der Ham-de Vos, J. (2024). Are You Sure You Want To Do Coordinated Vulnerability Disclosure? In <i>2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)</i> (pp. 307–314). https://doi.org/10.1109/EuroSPW61312.2024.00039</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/203668
-
dc.description.abstract
The rising numbers of vulnerabilities and security issues stemming from the rapid iteration and development of the Internet of Things (IoT) have introduced new challenges for the involved stakeholders to mitigate them in time. To effectively bring researchers, vendors, and end-users together to address such problems, Coordinated Vulnerability Disclosure (CVD) has become standard practice. Although general CVD procedures for practitioners to follow exist, adapting them to the specific circumstances has proven to be complicated in practice. In this paper, we document our experience of reporting various security vulnerabilities for 15,820 IoT backends. The discovery and scanning have been part of a separate research project, in this contribution we focus on the disclosure to the backends' operators in a large-scale coordinated vulnerability disclosure effort, following the latest disclosure guidelines. We discuss what we have learned to inform others who want to engage in large-scale CVD, we compare the steps and tradeoffs of our effort with current CVD suggestions, based on our measurement before and after the disclosure, and we describe how adapting our approach can improve CVD best practices.
en
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschungs- und Technologiefonds
-
dc.language.iso
en
-
dc.subject
coordinated disclosure
en
dc.subject
vulnerability disclosure
en
dc.subject
responsible disclosure
en
dc.subject
research ethics
en
dc.subject
IoT backends
en
dc.subject
large-scale measurements
en
dc.title
Are You Sure You Want To Do Coordinated Vulnerability Disclosure?
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.contributor.affiliation
University of Twente, Netherlands (the)
-
dc.contributor.affiliation
Ruhr University Bochum, Germany
-
dc.contributor.affiliation
University of Twente, Netherlands (the)
-
dc.relation.isbn
979-8-3503-6729-4
-
dc.description.startpage
307
-
dc.description.endpage
314
-
dc.relation.grantno
ICT19-056
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
-
tuw.project.title
IoTIO: Analyse des Internet der Unsicheren Dinge
-
tuw.researchTopic.id
I4
-
tuw.researchTopic.name
Information Systems Engineering
-
tuw.researchTopic.value
100
-
tuw.publication.orgunit
E192-06 - Forschungsbereich Security and Privacy
-
tuw.publisher.doi
10.1109/EuroSPW61312.2024.00039
-
dc.description.numberOfPages
8
-
tuw.author.orcid
0009-0003-0095-4525
-
tuw.author.orcid
0000-0001-7001-4481
-
tuw.author.orcid
0000-0001-7427-7852
-
tuw.author.orcid
0000-0002-5685-8714
-
tuw.event.name
9th International Workshop on Traffic Measurements for Cybersecurity (WTMC 2024)
en
tuw.event.startdate
08-07-2024
-
tuw.event.enddate
08-07-2024
-
tuw.event.online
On Site
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
Vienna
-
tuw.event.country
AT
-
tuw.event.presenter
Chen, Ting-Han
-
tuw.event.track
Single Track
-
wb.sciencebranch
Informatik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.value
100
-
item.openairetype
conference paper
-
item.grantfulltext
restricted
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
item.languageiso639-1
en
-
crisitem.author.dept
University of Twente, Netherlands (the)
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
Ruhr University Bochum, Germany
-
crisitem.author.dept
University of Twente, Netherlands (the)
-
crisitem.author.orcid
0009-0003-0095-4525
-
crisitem.author.orcid
0000-0001-7001-4481
-
crisitem.author.orcid
0000-0001-7427-7852
-
crisitem.author.orcid
0000-0002-5685-8714
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds