Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
8 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue (2312.07284v1)

Published 12 Dec 2023 in cs.NI

Abstract: It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wild? We specifically focus on organisations from the public and critical infrastructure sector who are required to respond to such notifications by law. We find that many organisations are difficult to reach when it concerns security issues, even if they have a security contact point. Additionally, our findings show that having policy in place improves the response and resolution rate, but that even with a policy in place, half of our reports remain unanswered and unsolved after 90~days. Based on these findings we provide recommendations to organisations and bodies such as ENISA to improve future coordinated vulnerability disclosure processes.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (69)
  1. ISO 27001:2022. Information security, cybersecurity and privacy protection – Information security management systems – Requirements. Standard, International Organization for Standardization, Geneva, CH, 2022.
  2. ISO 27002:2022. Information security, cybersecurity and privacy protection – Information security controls. Standard, International Organization for Standardization, Geneva, CH, 2022.
  3. ISO 29147:2018. Information technology – Security techniques – Vulnerability disclosure. Standard, International Organization for Standardization, Geneva, CH, 2018.
  4. NTA 7516. Medische informatica – Eisen voor veilige e-mail en chatapplicaties (uitwisseling van ad-hocberichten met persoonlijke gezondheidsinformatie). Standard, Stichting Koninklijk Nederlands Normalisatie Instituut, Delft, NL, 2019.
  5. DomainKeys Identified Mail (DKIM) Signatures. RFC 4871, May 2007. URL: https://www.rfc-editor.org/info/rfc4871, doi:10.17487/RFC4871.
  6. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers, 8:350–362, 2006.
  7. Jasper Bakker. Veel gemeenten gaan niet goed om met beveiligingsmeldingen, blijkt uit onderzoek DIVD en Universiteit Twente, 2023. URL: https://www.agconnect.nl/tech-en-toekomst/security/veel-gemeenten-gaan-niet-goed-om-met-beveiligingsmeldingen.
  8. Belgisch Staatsblad. Wet betreffende de bescherming van melders van inbreuken op het Unie- of nationale recht vastgesteld binnen een juridische entiteit in de private sector, 2022.
  9. Belgisch Staatsblad. Wet betreffende de meldingskanalen en de bescherming van de melders van integriteitsschendingen in de federale overheidsinstanties en bij de geïntegreerde politie, 2022.
  10. All your SPF includes are belong to US, Sep 2022. URL: https://improsec.com/tech-blog/arebelongtous.
  11. SPFail: Discovering, Measuring, and Remediating Vulnerabilities in Email Sender Validation. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC ’22, page 633–646, New York, NY, USA, 2022. Association for Computing Machinery. doi:10.1145/3517745.3561468.
  12. Binnenlands Bestuur. Gemeenten laks met meldingen hackers, 2023. URL: https://www.binnenlandsbestuur.nl/digitaal/meldingen-van-kwetsbaarheden-worden-niet-altijd-opgepakt.
  13. BIO-Overheid. BIO v1.4zv, Jun 2020. URL: https://bio-overheid.nl/media/13kduqsi/bio-versie-104zv_def.pdf.
  14. Rainer Böhme. A comparison of market approaches to software vulnerability disclosure. In Günter Müller, editor, Emerging Trends in Information and Communication Security, pages 298–311, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
  15. Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges. Journal of Cybersecurity and Privacy, 1(2):274–288, May 2021. URL: http://dx.doi.org/10.3390/jcp1020015, doi:10.3390/jcp1020015.
  16. Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge. IEEE Transactions on Software Engineering, 33(3):171–185, 2007. doi:10.1109/TSE.2007.26.
  17. CISA. Coordinated Vulnerability Disclosure Process, Sep 2023. URL: https://www.cisa.gov/coordinated-vulnerability-disclosure-process.
  18. Council of European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016.
  19. Council of European Union. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), 2019.
  20. Council of European Union. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 2022.
  21. Council of European Union. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, 2022.
  22. Dave Crocker. RFC 4871 DomainKeys Identified Mail (DKIM) Signatures – Update. RFC 5672, August 2009. URL: https://www.rfc-editor.org/info/rfc5672, doi:10.17487/RFC5672.
  23. ENISA. Cybersecurity certification: Candidate EUCC scheme, Aug 2021. URL: https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme.
  24. ENISA. Developing National Vulnerabilities Programmes, Feb 2023. URL: https://www.enisa.europa.eu/publications/developing-national-vulnerabilities-programmes.
  25. Jim Fenton. Analysis of Threats Motivating DomainKeys Identified Mail (DKIM). RFC 4686, September 2006. URL: https://www.rfc-editor.org/info/rfc4686, doi:10.17487/RFC4686.
  26. FIRST. Traffic Light Protocol (TLP), Aug 2022. URL: https://www.first.org/tlp/.
  27. Forum Standaardisatie. DKIM. URL: https://www.forumstandaardisatie.nl/open-standaarden/dkim.
  28. Forum Standaardisatie. DMARC. URL: https://www.forumstandaardisatie.nl/open-standaarden/dmarc.
  29. Forum Standaardisatie. Leveranciersmanifest. URL: https://forumstandaardisatie.nl/leveranciersmanifest.
  30. Forum Standaardisatie. security.txt. URL: https://www.forumstandaardisatie.nl/open-standaarden/securitytxt.
  31. Forum Standaardisatie. SPF. URL: https://www.forumstandaardisatie.nl/open-standaarden/spf.
  32. Forum Standaardisatie. Bredere aanpak ”meting informatieveiligheidstandaarden” legt Achterblijvers Bloot, Nov 2022. URL: https://www.forumstandaardisatie.nl/nieuws/bredere-aanpak-meting-informatieveiligheidstandaarden-legt-achterblijvers-bloot.
  33. A File Format to Aid in Security Vulnerability Disclosure. RFC 9116, April 2022. URL: https://www.rfc-editor.org/info/rfc9116, doi:10.17487/RFC9116.
  34. Email communication security standards: an analysis of uptake in the EU - March 2022. (KJ-NA-31-280-EN-N (online)), 2022. doi:10.2760/726094(online).
  35. Randall Gellens and Dr. John C. Klensin. Message Submission. RFC 2476, December 1998. URL: https://www.rfc-editor.org/info/rfc2476, doi:10.17487/RFC2476.
  36. An Extension of the Sender Domain Authentication DKIM. In 2008 Third International Conference on Convergence and Hybrid Information Technology, volume 2, pages 565–568, 2008. doi:10.1109/ICCIT.2008.82.
  37. Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems. In 2018 IEEE Cybersecurity Development (SecDev), pages 94–101, 2018. doi:10.1109/SecDev.2018.00020.
  38. IBD. IBD roept gemeenten op hun ‘Coordinated Vulnerability Disclosure’-proces onder de loep te nemen, Oct 2023. URL: https://www.informatiebeveiligingsdienst.nl/nieuws/ibd-roept-gemeenten-op-hun-coordinated-vulnerability-disclosure-proces-onder-de-loep-te-nemen/.
  39. iBestuur. IBD roept gemeenten op eigen CVD-procedure te bekijken, 2023. URL: https://ibestuur.nl/artikel/ibd-roept-gemeenten-op-eigen-cvd-procedure-te-bekijken/.
  40. Design and Implementation of a DMARC Verification Result Notification System. 2016.
  41. Scott Kitterman. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208, April 2014. URL: https://www.rfc-editor.org/info/rfc7208, doi:10.17487/RFC7208.
  42. Scott Kitterman. Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM). RFC 8301, January 2018. URL: https://www.rfc-editor.org/info/rfc8301, doi:10.17487/RFC8301.
  43. Dr. John C. Klensin. Simple Mail Transfer Protocol. RFC 5321, October 2008. URL: https://www.rfc-editor.org/info/rfc5321, doi:10.17487/RFC5321.
  44. “Objection, Your Honor!”: False Positive Detection in Sender Domain Authentication by Utilizing the DMARC Reports. International Journal on Advances in Internet Technology, Vol.13(no 1&2):35–45, 6 2020.
  45. DomainKeys Identified Mail (DKIM) Signatures. RFC 6376, September 2011. URL: https://www.rfc-editor.org/info/rfc6376, doi:10.17487/RFC6376.
  46. Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489, March 2015. URL: https://www.rfc-editor.org/info/rfc7489, doi:10.17487/RFC7489.
  47. John R. Levine. A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM). RFC 8463, September 2018. URL: https://www.rfc-editor.org/info/rfc8463, doi:10.17487/RFC8463.
  48. Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy, 2023. URL: https://arxiv.org/abs/2302.07287, doi:10.48550/ARXIV.2302.07287.
  49. Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of HackerOne and Google Vulnerability Research. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES ’19, New York, NY, USA, 2019. Association for Computing Machinery. doi:10.1145/3339252.3341495.
  50. Adoption of Email Anti-Spoofing Schemes: A Large Scale Analysis. IEEE Transactions on Network and Service Management, 18(3):3184–3196, 2021. doi:10.1109/TNSM.2021.3065422.
  51. Interoperability Issues between Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows. RFC 7960, September 2016. URL: https://www.rfc-editor.org/info/rfc7960, doi:10.17487/RFC7960.
  52. John G. Myers. SMTP Service Extension for Authentication. RFC 2554, March 1999. URL: https://www.rfc-editor.org/info/rfc2554, doi:10.17487/RFC2554.
  53. Vulnerability Disclosure Attitudes and Actions, 2016. URL: https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf.
  54. NCSC-NL. Coordinated Vulnerability Disclosure: the Guideline, 2018. URL: https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guideline.
  55. NCSC-UK. Vulnerability Disclosure Toolkit, 2020. URL: https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit.
  56. NOS. Hackers: ’Veel gemeenten reageren niet adequaat op veiligheidslekken’, 2023. URL: https://nos.nl/artikel/2492689-hackers-veel-gemeenten-reageren-niet-adequaat-op-veiligheidslekken.
  57. Platform Internetstandaarden. Intentieverklaring Veilige E-mail Coalitie, 2017. URL: https://nl.internet.nl/static/article/nederland-voor-veilig-emailverkeer/20170201a_Intentieverklaring_Veilige_E-mail_Coalitie.pdf.
  58. Jonathan B. Postel. Simple Mail Transfer Protocol. RFC 788, November 1981. URL: https://www.rfc-editor.org/info/rfc788, doi:10.17487/RFC0788.
  59. Pete Resnick. Internet Message Format. RFC 5322, October 2008. URL: https://www.rfc-editor.org/info/rfc5322, doi:10.17487/RFC5322.
  60. Rijksoverheid. Besluit op Woo-verzoek over domeinnaamregister Rijksoverheid, Mar 2023. URL: https://www.rijksoverheid.nl/documenten/woo-besluiten/2023/03/20/besluit-op-woo-verzoek-over-domeinnaamregister-rijksoverheid.
  61. Sebastian Salla. Scanning millions of domains and compromising email supply chains, Jan 2022. URL: https://caniphish.com/phishing-resources/blog/compromising-australian-supply-chains-at-scale.
  62. Marcello Salvati. SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan. DEFCON 31, 2023.
  63. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408, April 2006. URL: https://www.rfc-editor.org/info/rfc4408, doi:10.17487/RFC4408.
  64. Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. In 30th USENIX Security Symposium (USENIX Security 21), pages 3201–3217. USENIX Association, August 2021. URL: https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwen.
  65. Detecting spam through their Sender Policy Framework records. Security and Communication Networks, 8(18):3555–3563, 2015. URL: https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.1280, arXiv:https://onlinelibrary.wiley.com/doi/pdf/10.1002/sec.1280, doi:10.1002/sec.1280.
  66. TransIP. Ik wil een contactformulier op mijn website gebruiken, Jan 2023. URL: https://www.transip.nl/knowledgebase/artikel/230-wil-contactformulier-mijn-website-gebruiken/.
  67. A large-scale and longitudinal measurement study of DKIM deployment. In 31st USENIX Security Symposium (USENIX Security 22), pages 1185–1201, Boston, MA, August 2022. USENIX Association. URL: https://www.usenix.org/conference/usenixsecurity22/presentation/wang-chuhan.
  68. Meng Weng Wong. SPF, MTAs and SRS, May 2004. URL: https://dl.acm.org/doi/fullHtml/10.5555/982972.982975.
  69. Uldis Ķinis. From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (hereinafter – RVDP): The Latvian approach. Computer Law & Security Review, 34(3):508–522, 2018. URL: https://www.sciencedirect.com/science/article/pii/S0267364917303606, doi:10.1016/j.clsr.2017.11.003.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets