Disclosing or Concealing? Developments of Norms and Policies for Governing Software Vulnerabilities and Their Implications for Cybersecurity

13 Pages Posted: 2 Apr 2016 Last revised: 16 Aug 2016

See all articles by Andreas Kuehn

Andreas Kuehn

Syracuse University, School of Information Studies; Stanford University, Center for International Security and Cooperation; EastWest Institute, Global Cooperation in Cyberspace Initiative

Date Written: March 31, 2016

Abstract

Vulnerabilities in software are common with several thousands of them being disclosed annually by software security researchers. The public, however, has only recently become aware of software flaws and their implications for Internet security. Prominent examples that shaped this awareness include the Stuxnet cyberattacks that exploited multiple software vulnerabilities, and the Snowden revelation of the NSA’s use of vulnerabilities for its cyber operations. With the disclosure of the Heartbleed bug in April 2014, the issue of security vulnerabilities hit home closer to general Internet users as they were made aware of a severe flaw in a widely implemented security protocol. It prompted the U.S. intelligence community to release an official statement that denied knowledge of the OpenSSL vulnerability. The White House followed suit with an explanation of the U.S. government’s vulnerability disclosure policy.

Drawing on media reports, technical security briefs and recently released government documents, this paper will shed light on historical and current debates about whether and under what circumstances security flaws should be either disclosed or concealed. It will (1) analyze the U.S. government’s policy that honors national security and law enforcement interests over public disclosure, (2) examine newly emerging bug bounty programs of software vendors as a new mode of disclosure that rewards security researchers for reporting security flaws, and (3) discusses the role of export controls to prohibit the proliferation of knowledge and technology related to vulnerability discovery and security research.

The considerable implications of software vulnerabilities on critical information infrastructure makes the policy-making around vulnerability disclosure a critical and current topic. Questions about disclosure norms and behavior of private, commercial and state actors with regard to vulnerability disclosure, acquisition, and handling will play an increasingly important role in the cybersecurity debates in the near future.

Please do not consider for presentation in the poster session

Keywords: cybersecurity, vulnerability disclosure, bug bounty program, zero-day exploit, export controls

Suggested Citation

Kuehn, Andreas, Disclosing or Concealing? Developments of Norms and Policies for Governing Software Vulnerabilities and Their Implications for Cybersecurity (March 31, 2016). TPRC 44: The 44th Research Conference on Communication, Information and Internet Policy 2016. Available at SSRN: https://ssrn.com/abstract=2757345

Andreas Kuehn (Contact Author)

Syracuse University, School of Information Studies ( email )

Hinds Hall
Syracuse, NY 13244
United States

Stanford University, Center for International Security and Cooperation

Stanford, CA 94305
United States

EastWest Institute, Global Cooperation in Cyberspace Initiative

New York, NY 10017
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
36
Abstract Views
136
PlumX Metrics
!

Under construction: SSRN citations will be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information