Disclosing or Concealing? Developments of Norms and Policies for Governing Software Vulnerabilities and Their Implications for Cybersecurity
13 Pages Posted: 2 Apr 2016 Last revised: 16 Aug 2016
Date Written: March 31, 2016
Vulnerabilities in software are common with several thousands of them being disclosed annually by software security researchers. The public, however, has only recently become aware of software flaws and their implications for Internet security. Prominent examples that shaped this awareness include the Stuxnet cyberattacks that exploited multiple software vulnerabilities, and the Snowden revelation of the NSA’s use of vulnerabilities for its cyber operations. With the disclosure of the Heartbleed bug in April 2014, the issue of security vulnerabilities hit home closer to general Internet users as they were made aware of a severe flaw in a widely implemented security protocol. It prompted the U.S. intelligence community to release an official statement that denied knowledge of the OpenSSL vulnerability. The White House followed suit with an explanation of the U.S. government’s vulnerability disclosure policy.
Drawing on media reports, technical security briefs and recently released government documents, this paper will shed light on historical and current debates about whether and under what circumstances security flaws should be either disclosed or concealed. It will (1) analyze the U.S. government’s policy that honors national security and law enforcement interests over public disclosure, (2) examine newly emerging bug bounty programs of software vendors as a new mode of disclosure that rewards security researchers for reporting security flaws, and (3) discusses the role of export controls to prohibit the proliferation of knowledge and technology related to vulnerability discovery and security research.
The considerable implications of software vulnerabilities on critical information infrastructure makes the policy-making around vulnerability disclosure a critical and current topic. Questions about disclosure norms and behavior of private, commercial and state actors with regard to vulnerability disclosure, acquisition, and handling will play an increasingly important role in the cybersecurity debates in the near future.
Please do not consider for presentation in the poster session
Keywords: cybersecurity, vulnerability disclosure, bug bounty program, zero-day exploit, export controls
Suggested Citation: Suggested Citation