Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Stock, Ben and Pellegrino, Giancarlo and Rossow, Christian and Johns, Martin and Backes, Michael
(2016) Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.
In: Proceedings of the 25th USENIX Security Symposium (USENIX Security '16).
Conference: USENIX-Security Usenix Security Symposium

[img]
Preview
 Text
notification.pdf - Published Version
Download (390kB) | Preview

Abstract

Large-scale discovery of thousands of vulnerable Web sites has become a frequent event, thanks to recent advances in security research and the rise in maturity of Internet-wide scanning tools. The issues related to disclosing the vulnerability information to the affected parties, however, have only been treated as a side note in prior research. In this paper, we systematically examine the feasibility and efficacy of large-scale notification campaigns. For this, we comprehensively survey existing communication channels and evaluate their usability in an automated notification process. Using a data set of over 44,000 vulnerable Web sites, we measure success rates, both with respect to the total number of fixed vulnerabilities and to reaching responsible parties, with the following high-level results: Although our campaign had a statistically significant impact compared to a control group, the increase in the fix rate of notified domains is marginal. If a notification report is read by the owner of the vulnerable application, the likelihood of a subsequent resolution of the issues is sufficiently high: about 40%. But, out of 35,832 transmitted vulnerability reports, only 2,064 (5.8%) were actually received successfully, resulting in an unsatisfactory overall fix rate, leaving 74.5% of Web applications exploitable after our month-long experiment. Thus, we conclude that currently no reliable notification channels exist, which significantly inhibits the success and impact of large-scale notification.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Additional Information: pub_id: 1006 Bibtex: stock_disclosure:16 URL date: None
Uncontrolled Keywords: group:infsec,security
Divisions: Michael Backes (InfSec)
Ben Stock (Secure Web Applications Group, SWAG)
Christian Rossow (System Security Group, SysSec)
Conference: USENIX-Security Usenix Security Symposium
Depositing User: Sebastian Weisgerber
Date Deposited: 26 Jul 2017 10:30
Last Modified: 18 Jul 2019 12:12
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/477

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.