A mixed methods probe into the direct disclosure of software vulnerabilities
作者:
Highlights:
• Direct disclosure refers to a two-party dissemination of vulnerabilities.
• Historically many vendors have been reluctant to participate in disclosure.
• This paper examines direct disclosure practices in the 2000s and early 2010s.
• Both qualitative and quantitative methods are used for the empirical inquiry.
• According to the results, the reluctance of vendors has still been widespread.
摘要
•Direct disclosure refers to a two-party dissemination of vulnerabilities.•Historically many vendors have been reluctant to participate in disclosure.•This paper examines direct disclosure practices in the 2000s and early 2010s.•Both qualitative and quantitative methods are used for the empirical inquiry.•According to the results, the reluctance of vendors has still been widespread.
论文关键词:Full disclosure,Public disclosure,Responsible disclosure,Coordinated disclosure,Grace period,Proof-of-concept exploit,Vendor,Life cycle,Mixed methods
论文评审过程:Received 13 September 2018, Revised 15 September 2019, Accepted 25 September 2019, Available online 28 September 2019, Version of Record 4 October 2019.
论文官网地址:https://doi.org/10.1016/j.chb.2019.09.028