Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications

Stock, Ben and Pellegrino, Giancarlo and Li, Frank and Backes, Michael and Rossow, Christian
(2018) Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications.
In: Proceedings of the 25th Annual Symposium on Network and Distributed System Security (NDSS '18)..
Conference: Conferences 1840 not found.

Full text not available from this repository.


After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. To that end, we report on a notification experiment targeting more than 24,000 domains, which allowed us to analyze what technical and human aspects are roadblocks to a successful campaign. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. However, our exploration of alternative communication channels did not suggest a more promising medium. Seeing these results, we pinpoint future directions in improving security notifications.


Actions (login required)

View Item View Item