The Experts below are selected from a list of 22143 Experts worldwide ranked by ideXlab platform
Taylor J Canann - One of the best experts on this subject based on the ideXlab platform.
-
toward a theory of vulnerability Disclosure Policy a hacker s game
Decision and Game Theory for Security, 2019Co-Authors: Taylor J CanannAbstract:A game between software vendors, heterogeneous software users, and a hacker is introduced in which software vendors attempt to protect software users by releasing updates, i.e. disclosing a vulnerability, and the hacker is attempting to exploit vulnerabilities in the software package to attack the software users. The software users must determine whether the protection offered by the update outweighs the cost of installing the update. Following the model is a description of why the Disclosure of vulnerabilities can only be an optimal Policy when the cost to the hacker of searching for a Zero-Day vulnerability is small. The model is also extended to discuss Microsoft’s new “extended support” Disclosure Policy.
-
GameSec - Toward a Theory of Vulnerability Disclosure Policy: A Hacker's Game.
Lecture Notes in Computer Science, 2019Co-Authors: Taylor J CanannAbstract:A game between software vendors, heterogeneous software users, and a hacker is introduced in which software vendors attempt to protect software users by releasing updates, i.e. disclosing a vulnerability, and the hacker is attempting to exploit vulnerabilities in the software package to attack the software users. The software users must determine whether the protection offered by the update outweighs the cost of installing the update. Following the model is a description of why the Disclosure of vulnerabilities can only be an optimal Policy when the cost to the hacker of searching for a Zero-Day vulnerability is small. The model is also extended to discuss Microsoft’s new “extended support” Disclosure Policy.
-
GameSec - Toward a Theory of Vulnerability Disclosure Policy: A Hacker’s Game
Lecture Notes in Computer Science, 2019Co-Authors: Taylor J CanannAbstract:A game between software vendors, heterogeneous software users, and a hacker is introduced in which software vendors attempt to protect software users by releasing updates, i.e. disclosing a vulnerability, and the hacker is attempting to exploit vulnerabilities in the software package to attack the software users. The software users must determine whether the protection offered by the update outweighs the cost of installing the update. Following the model is a description of why the Disclosure of vulnerabilities can only be an optimal Policy when the cost to the hacker of searching for a Zero-Day vulnerability is small. The model is also extended to discuss Microsoft’s new “extended support” Disclosure Policy.
-
Software Vulnerability Analysis in Cyber Security: A Network Structure Approach
2014Co-Authors: Taylor J CanannAbstract:I analyze the effects of network structure, in particular network centrality, on vulnerability Disclosure Policy. My analysis finds that the structure of the network of households can greatly effect the overall welfare of the economy. Specifically, I find that the distribution of the centrality of the nodes and the radius of the network have a significant effect on the optimal Disclosure Policy system. I find that the level of activity by the software vendor to find vulnerabilities, alpha, only effects the household decision as a “show of good faith". As long as the software vendor puts a little effort into alpha, then the household is more likely to update and desire to purchase the software. However, at the margin, the centrality effects of the network dominate the effects of the software vendor's attempt to change alpha.
Andrew B. Whinston - One of the best experts on this subject based on the ideXlab platform.
-
AMCIS - A Reputation-Based Mechanism for Software Vulnerability Disclosure
2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
-
a reputation based mechanism for software vulnerability Disclosure
Americas Conference on Information Systems, 2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
Uldis ķinis - One of the best experts on this subject based on the ideXlab platform.
-
from responsible Disclosure Policy rdp towards state regulated responsible vulnerability Disclosure procedure hereinafter rvdp the latvian approach
Computer Law & Security Review, 2017Co-Authors: Uldis ķinisAbstract:Abstract Cybersecurity is an integral part of security. It plays a tremendous role in modern society. It encompasses technical, organizational and legislative measures created for the purpose of protecting and minimizing impacts from cyber incidents. Any software may contain bugs or security holes. Hackers frequently discover such flaws and, without vendor's consent, disclose step-by-step instructions about vulnerability to the public, disregarding the possible IT security risk. Many vendors already have introduced responsible Disclosure policies or “bug bounty” programs. In 2013 the Netherlands launched the first state responsible Disclosure Guidelines. Guidelines contain principles, definitions and organizational measures, necessary for responsible Disclosure Policy as a state Policy. Latvia decided to draft Regulation on responsible Disclosure procedure. In March 2016, the Ministry of Defence created a working group. The goal of the drafters was: 1) to prepare amendment to Law on the Security of Information Systems to create legislative framework for responsible vulnerability Disclosure process; 2) to draft an amendment to Section 241 (3) of Criminal Law to create a guaranty against prosecution (waiver) for persons who act in accordance with responsible Disclosure process. The paper provides an insight into this process, difficulties faced by drafters and presents provisional results of the legislative draft and lessons to be learnt.
-
From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (hereinafter – RVDP): The Latvian approach
Computer Law & Security Review, 2017Co-Authors: Uldis ķinisAbstract:Abstract Cybersecurity is an integral part of security. It plays a tremendous role in modern society. It encompasses technical, organizational and legislative measures created for the purpose of protecting and minimizing impacts from cyber incidents. Any software may contain bugs or security holes. Hackers frequently discover such flaws and, without vendor's consent, disclose step-by-step instructions about vulnerability to the public, disregarding the possible IT security risk. Many vendors already have introduced responsible Disclosure policies or “bug bounty” programs. In 2013 the Netherlands launched the first state responsible Disclosure Guidelines. Guidelines contain principles, definitions and organizational measures, necessary for responsible Disclosure Policy as a state Policy. Latvia decided to draft Regulation on responsible Disclosure procedure. In March 2016, the Ministry of Defence created a working group. The goal of the drafters was: 1) to prepare amendment to Law on the Security of Information Systems to create legislative framework for responsible vulnerability Disclosure process; 2) to draft an amendment to Section 241 (3) of Criminal Law to create a guaranty against prosecution (waiver) for persons who act in accordance with responsible Disclosure process. The paper provides an insight into this process, difficulties faced by drafters and presents provisional results of the legislative draft and lessons to be learnt.
Xia Zhao - One of the best experts on this subject based on the ideXlab platform.
-
AMCIS - A Reputation-Based Mechanism for Software Vulnerability Disclosure
2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
-
a reputation based mechanism for software vulnerability Disclosure
Americas Conference on Information Systems, 2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
Jianqing Chen - One of the best experts on this subject based on the ideXlab platform.
-
AMCIS - A Reputation-Based Mechanism for Software Vulnerability Disclosure
2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
-
a reputation based mechanism for software vulnerability Disclosure
Americas Conference on Information Systems, 2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software vulnerability information has been debated intensely. An optimal Disclosure Policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the Disclosure Policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure Policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.