Vulnerability Disclosure or Notification? Best Practices for Reaching Stakeholders at Scale

TL;DR

This paper examines the differences between vulnerability disclosure and notification, analyzing recent strategies and outcomes to recommend best practices for effectively reaching stakeholders at scale.

Contribution

It distinguishes vulnerability notification from disclosure, providing a meta-review of recent strategies and compiling best practices for stakeholder communication.

Findings

Notification practices differ from disclosure and require tailored approaches.

Recent strategies have evolved to improve stakeholder engagement.

The paper offers guidelines to enhance notification effectiveness.

Abstract

Security researchers are interested in security vulnerabilities, but these security vulnerabilities create risks for stakeholders. Coordinated Vulnerability Disclosure has been an accepted best practice for many years in disclosing newly discovered vulnerabilities. This practice has mostly worked, but it can become challenging when there are many different parties involved. There has also been research into known vulnerabilities, using datasets or active scans to discover how many machines are still vulnerable. The ethical guidelines suggest that researchers also make an effort to notify the owners of these machines. We identify that this differs from vulnerability disclosure, but rather the practice of vulnerability notification. This practice has some similarities with vulnerability disclosure but should be distinguished from it, providing other challenges and requiring a different approach. Based on our earlier disclosure experience and on prior work documenting their disclosure and notification operations, we provide a meta-review on vulnerability disclosure and notification to observe the shifts in strategies in recent years. We assess how researchers initiated their messaging and examine the outcomes. We then compile the best practices for the existing disclosure guidelines and for notification operations.