A1 Journal article (refereed), original research

A mixed methods probe into the direct disclosure of software vulnerabilities

Open Access publication

Publication Details

Authors: Ruohonen Jukka, Hyrynsalmi Sami, Leppänen Ville

Publisher: Elsevier

Publication year: 2020

Language: English

Related journal or series: Computers in Human Behavior

Journal name in source: Computers in Human Behavior

Volume number: 103

Start page: 161

End page: 173

Number of pages: 13

ISSN: 0747-5632

eISSN: 1873-7692

JUFO level of this publication: 2

Digital Object Identifier (DOI): http://dx.doi.org/10.1016/j.chb.2019.09.028

Permanent website address: https://www.sciencedirect.com/science/article/pii/S0747563219303620?via=ihub

Open Access: Open Access publication

Location of the parallel saved publication: http://urn.fi/URN:NBN:fi-fe2020110389113


Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

    KeywordsCoordinated disclosure, Full disclosure, Grace period, Life cycle, Mixed methods, Proof-of-concept exploit, Public disclosure, Responsible disclosure, Vendor

    Last updated on 2020-03-11 at 11:02