Talking Trojan: Analyzing an Industry-Wide Disclosure

TL;DR

This paper analyzes the industry-wide response to the Trojan Source vulnerability, examining how different organizations managed disclosure, coordinated efforts, and media coverage to improve future vulnerability handling.

Contribution

It provides a comprehensive analysis of the coordinated disclosure process for Trojan Source, comparing responses across industry sectors and proposing improvements.

Findings

Firms and nonprofits responded differently to disclosures.

Outsourced responses varied from in-house management.

Media and bug bounty programs influenced disclosure outcomes.

Abstract

While vulnerability research often focuses on technical findings and post-public release industrial response, we provide an analysis of the rest of the story: the coordinated disclosure process from discovery through public release. The industry-wide 'Trojan Source' vulnerability which affected most compilers, interpreters, code editors, and code repositories provided an interesting natural experiment, enabling us to compare responses by firms versus nonprofits and by firms that managed their own response versus firms that outsourced it. We document the interaction with bug bounty programs, government disclosure assistance, academic peer review, and press coverage, among other topics. We compare the response to an attack on source code with the response to a comparable attack on NLP systems employing machine-learning techniques. We conclude with recommendations to improve the global coordinated disclosure system.