Vulnerability Disclosure: Best Practice Guidelines

It is vital to the commercial interests of providers of Internet of Things (IoT) products and solutions and to the security of their customers, that vulnerabilities are discovered and remediated as soon as possible. Third party security researchers are a valuable adjunct to a provider’s internal resources in addressing this goal. To ensure effective co-operation and maintain good relations with external security researchers, it is important for providers to define and communicate vulnerability disclosure processes that not only describe how they would like vulnerabilities to be reported confidentially to them, but also set expectations as to how they will process and act upon such reports. This process should include provision of feedback to the discovering researcher, and the public announcement of the security vulnerability, usually after the release of a software patch, hardware fix, or other remediation. The ETSI 303 645 standard [4], which lays down baseline security requirements for the consumer IoT, includes requirement 5.2, to “Implement a means to manage reports of vulnerabilities”. This states that “The manufacturer shall make a vulnerability disclosure policy publicly available.”, adding that “A vulnerability disclosure policy clearly specifies the process through which security researchers and others are able to report issues.” This document provides manufacturers, integrators, distributors, and retailers of IoT products and services with a set of guidelines for handling the disclosure of security vulnerabilities, based on best practice and international standards

Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018

This report puts forward the analysis and recommendations for the design and implementation of a forward-looking policy on software vulnerability disclosure (SVD) in Europe. It is the result of extensive deliberations among the members of a Task Force formed by CEPS in September 2017, including industry experts, representatives of EU and international institutions, academics, civil society organisations and practitioners. Drawing on current best practices throughout Europe, the US and Japan, the Task Force explored ways to formulate practical guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. These discussions led to policy recommendations addressed to member states and the EU institutions for the development of an effective policy framework for introducing coordinated vulnerability disclosure (CVD) and government disclosure decision processes (GDDP) in Europe

Nonbanks and risk in retail payments

This paper documents the importance of nonbanks in retail payments in the United States and in 15 European countries and analyzes the implications of the importance and multiple roles played by nonbanks on retail payment risks. This paper also reviews the main regulatory safeguards in place, and concludes that there may be a need to reconsider some of them in view of the growing role of nonbanks and of the global reach of risks in the electronic era.

The future of corporate reporting: a review article

Significant changes in the corporate external reporting environment have led to proposals for fundamental changes in corporate reporting practices. Recent influential reports by major organisations have suggested that a variety of new information types be reported, in particular forward-looking, non-financial and soft information. This paper presents a review and synthesis of these reports and provides a framework for classifying and describing suggested information types. The existence of academic antecedents for certain current proposals are identified and the ambiguous relationship between research and practice is explored. The implications for future academic research are discussed and a research agenda is introduced