Friendly Hackers to the Rescue: How Organizations Perceive Crowdsourced Vulnerability Discovery

Over the past years, crowdsourcing has increasingly been used for the discovery of vulnerabilities in software. While some organizations have extensively used crowdsourced vulnerability discovery, other organizations have been very hesitant in embracing this method. In this paper, we report the results of a qualitative study that reveals organizational concerns and fears in relation to crowdsourced vulnerability discovery. The study is based on 36 key informant interviews with various organizations. The study reveals a set of pre-adoption fears (i.e., lacking managerial expertise, low quality submissions, distrust in security professionals, cost escalation, lack of motivation of security professionals) as well as the post-adoption issues actually experienced. The study also identifies countermeasures that adopting organizations have used to mitigate fears and minimize issues. Implications for research and practice are discussed

Crowdsourcing software vulnerability discovery: expertise indicators, organizations perception and quality control

The complexity of software-based systems is increasing dramatically as development becomes even more distributed across multiple heterogeneous, autonomous, and evolving cloud services. More specifically, the increased reliance on third-party software-based systems (e.g., cloud services, open APIs, external programming libraries and black-box software packages) makes it very difficult for in-house IT experts to deal with the inherent risks of using external software. In order to overcome potential vulnerability issues, several organizations outsource tasks such as vulnerability discovery to third-party providers. More recently, the approach of crowdsourcing vulnerability discovery has emerged.In this research, we examine crowdsourcing vulnerability discovery tasks both analytically and empirically through systematic literature review, interviews, surveys and case studies. We identify models and dimensions of vulnerability discovery tasks. We investigate the pre-adoption fears that preventing organizations from using crowdsourcing for vulnerability discovery, issues faced by organizations who have adopted crowdsourcing for vulnerability discovery, and countermeasures used by organizations to mitigate these fears and issues. We investigate one of the key countermeasures we identified (i.e. people selection) and investigate indicators of the expertise of security professionals involved in the crowdsourced vulnerability discovery tasks. Finally, we derive a quality control model (quality dimensions and attributes). We investigate the methods used for quality assessment in crowdsourced vulnerability discovery tasks, and the assurance strategies used to improve the quality of these tasks. We conduct a case study to evaluate the quality control model. Finally, we provide practical guidelines to support practitioners achieve better quality while deploying a crowdsourced vulnerability discovery task

Physicians' guideline adherence is associated with long-term heart failure mortality in outpatients with heart failure with reduced ejection fraction: the QUALIFY international registry

Background: Physicians' adherence to guideline-recommended therapy is associated with short-term clinical outcomes in heart failure (HF) with reduced ejection fraction (HFrEF). However, its impact on longer-term outcomes is poorly documented. Here, we present results from the 18-month follow-up of the QUALIFY registry. Methods and results: Data at 18 months were available for 6118 ambulatory HFrEF patients from this international prospective observational survey. Adherence was measured as a continuous variable, ranging from 0 to 1, and was assessed for five classes of recommended HF medications and dosages. Most deaths were cardiovascular (CV) (228/394) and HF-related (191/394) and the same was true for unplanned hospitalizations (1175 CV and 861 HF-related hospitalizations, out of a total of 1541). According to univariable analysis, CV and HF deaths were significantly associated with physician adherence to guidelines. In multivariable analysis, HF death was associated with adherence level [subdistribution hazard ratio (SHR) 0.93, 95% confidence interval (CI) 0.87–0.99 per 0.1 unit adherence level increase; P = 0.034] as was composite of HF hospitalization or CV death (SHR 0.97, 95% CI 0.94–0.99 per 0.1 unit adherence level increase; P = 0.043), whereas unplanned all-cause, CV or HF hospitalizations were not (all-cause: SHR 0.99, 95% CI 0.9–1.02; CV: SHR 0.98, 95% CI 0.96–1.01; and HF: SHR 0.99, 95% CI 0.96–1.02 per 0.1 unit change in adherence score; P = 0.52, P = 0.2, and P = 0.4, respectively). Conclusion: These results suggest that physicians' adherence to guideline-recommended HF therapies is associated with improved outcomes in HFrEF. Practical strategies should be established to improve physicians' adherence to guidelines. © 2019 The Authors. European Journal of Heart Failure © 2019 European Society of Cardiolog