# Sharing of vulnerability information among companies -- a survey of   Swedish companies

**Authors:** Thomas Olsson, Martin Hell, Martin H\"ost, Ulrik Franke, Markus Borg

arXiv: 1906.04424 · 2019-06-12

## TL;DR

This survey investigates Swedish companies' attitudes and practices regarding sharing vulnerability information, revealing openness but passive sharing behaviors that contrast with cybersecurity guidelines advocating active disclosure.

## Contribution

It provides empirical insights into current sharing practices and attitudes of companies, highlighting gaps between actual behavior and recommended cybersecurity sharing protocols.

## Key findings

- Companies are willing to share vulnerability info but do so passively.
- Most companies consider vulnerability information sensitive.
- There is a perceived low interest from customers in vulnerability disclosures.

## Abstract

Software products are rarely developed from scratch and vulnerabilities in such products might reside in parts that are either open source software or provided by another organization. Hence, the total cybersecurity of a product often depends on cooperation, explicit or implicit, between several organizations. We study the attitudes and practices of companies in software ecosystems towards sharing vulnerability information. Furthermore, we compare these practices to contemporary cybersecurity recommendations. This is performed through a questionnaire-based qualitative survey. The questionnaire is divided into two parts: the providers' perspective and the acquirers' perspective. The results show that companies are willing to share information with each other regarding vulnerabilities. Sharing is not considered to be harmful neither to the cybersecurity nor their business, even though a majority of the respondents consider vulnerability information sensitive. However, the companies, despite being open to sharing, are less inclined to proactively sharing vulnerability information. Furthermore, the providers do not perceive that there is a large interest in vulnerability information from their customers. Hence, the companies' overall attitude to sharing vulnerability information is passive but open. In contrast, contemporary cybersecurity guidelines recommend active disclosure and sharing among actors in an ecosystem.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.04424/full.md

## Figures

2 figures with captions in the complete paper: https://tomesphere.com/paper/1906.04424/full.md

## References

27 references — full list in the complete paper: https://tomesphere.com/paper/1906.04424/full.md

---
Source: https://tomesphere.com/paper/1906.04424