Differences between revisions 132 and 133
Revision 132 as of 2018-06-01 19:20:43
Size: 84382
Editor: ?fenris
Revision 133 as of 2019-05-27 12:21:17
Size: 84656
Editor: ?fenris
Deletions are marked like this. Additions are marked like this.
Line 984: Line 984:
 * 2018: "Software Vulnerability Disclosure in Europe: Summary and Key Highlights of the European Parliament CEPS Task Force Report" by HackerOne. https://www.hackerone.com/blog/Software-Vulnerability-Disclosure-Europe-Summary-and-Key-Highlights-European-Parliament-CEPS

Vulnerability disclosure publications and discussion tracking

Editors: OUSPG crew (OUSPG), Juhani Eronen (NCSC-FI), Ari Takanen (Codenomicon)


A long and vivid debate for and against different vulnerability disclosure models is still taking place. Sources that collect all these valuable arguments are scarce. This document acts as a place-holder for related contributions that we are aware of. Paper, articles and more informal documents are grouped based on the type of publication. We hope that these links are useful to anyone familiarising themselves with the scene or planning further contributions.

Table of contents

Academic publications

Conference papers, etc.

  • 1999: "The Vulnerability Process: a tiger team approach to resolving vulnerability cases" by OUSPG, presented at FIRST'1999.
  • 2000: "When worlds collide..." by Sarah Gordon Presented at EICAR 2000. Tells about differences in disclosure between antivirus community and the security community.
    • Cite: Sarah Gordon, Richard Ford. "When Worlds Collide: Information Sharing for the Security and Anti-virus Communities". EICAR 2000 Best Paper Proceedings.
  • 2001: "A Trend Analysis of Exploitations" by Hilary Browne, William A. Arbaugh, John ?McHugh, and William L. Fithen presented at 2001 IEEE Symposium on Security and Privacy.

    • Cite: Hilary Browne, William A. Arbaugh, John ?McHugh, and William L. Fithen. "A Trend Analysis of Exploitations". 2001 IEEE Symposium on Security and Privacy. Oakland, California, USA. http://www.cs.umd.edu/~waa/pubs/CS-TR-4200.pdf .

  • 2001: "Introducing constructive vulnerability disclosures" by OUSPG, presented at FIRST'2001.
  • 2003: "Communication in Software Vulnerability Process" by Tiina Havana and Juha Röning presented at FIRST'2003.
  • 2006: "Emerging Economic Models for Vulnerability Research" by Michael Sutton and Frank Nagle presented at the Workshop on the Economics of Information Security 2006.
    • Cite: Michael Sutton and Frank Nagle. "Emerging Economic Models for Vulnerability Research". In proceedings of The Fifth Workshop on the Economics of Information Security (WEIS 2006). Robinson College, University of Cambridge, England. http://weis2006.econinfosec.org/docs/17.pdf .

  • 2005: "Impact of Vulnerability Disclosure on Market Value of Software Vendors: An Empirical Analysis" by Rahul Telang, Sunil Wattal.
  • 2007: "Network Security: Vulnerabilities and Disclosure Policy" by Jay Phil Choi, Chaim Fershtman, Neil Gandal.
  • 2013: "An Empirical Study of Vulnerability Rewards Programs

" by Matthew Finifter, Devdatta Akhawe, and David Wagner.

  • Cite: Matthew Finifter, Devdatta Akhawe, and David Wagner. An Empirical Study of Vulnerability Rewards Programs . University of California, Berkeley.


Journal articles, Publication series, etc.

  • 2000: "Windows of Vulnerability: A Case Study Analysis" by William A. Arbaugh, William L. Fithen, and John ?McHugh. Published in (IEEE) Computer.

  • 2002: "Computer security publications: information economics, shifting liability and the first amendment" by Ethan Preston and John Lofton. Published in 24 Whittier Law Review.
  • 2004: "War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics" by Patrick

    S. Ryan. Published in the Virginia Journal of Law & Technology.

    • Cite: Patrick S. Ryan. War, Peace, or Stalemate: Wargames, Wardialing, and the Emerging Market for Hacker Ethics . (2004). http://ssrn.com/abstract=585867 . Virginia Journal of Law and Technology. Vol. 9 No. 7, Summer 2004.

  • 2004: "Agents of responsibility in software vulnerability processes" by Ari Takanen, Petri Vuorijärvi, Marko Laakso and Juha Röning.
  • 2004: "Deworming the Internet" by Douglas Barnes.
  • 2004: "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?" by Peter P. Swire.
  • 2006: "Does Information Security attack frequency increase with Vulnerability disclosure? - An Empirical Analysis" by Anindya Ghose, Michael Smith, Rahul Telang.
  • 2007: "Optimal Policy for Software Vulnerability Disclosure" by Rahul Telang.
  • 2010: "Security ethics - Manufacturers of computer systems should welcome researchers' efforts to find flaws.". Editorial in Nature. Nature 463, 136 (14 January 2010) | doi:10.1038/463136a; Published online 13 January 2010.
  • 2010: "The Hacker's Aegis" by Bambauer, Derek E. and Day, Oliver
    • Cite: Bambauer, Derek E. and Day, Oliver, The Hacker's Aegis (March 1, 2010). Brooklyn Law School, Legal Studies Paper No. 184. Available at SSRN: http://ssrn.com/abstract=1561845

Conference speeches

Books, thesises and reports

  • 2000: "Reporting Security Problems" by Elias Levy. Chapter 15 of "Hack proofing your network" by Syngress Media, Inc.
    • Cite: Various. Hack proofing your network . (2000). Syngress Media, Inc.. ISBN: 1-928994-15-6.
  • 2002: "Who's Liable for Security Bugs? Stuck Between a Rock and a Hard Place with Full Disclosure" by Pete Lindstrom. Published by Hurwitz Group.
    • Cite: Pete Lindstrom. Who's Liable for Security Bugs? . (2002). Hurwitz Group.
  • 2003: "Communication in the Software Vulnerability Reporting Process" by Tiina Havana

White papers (or other online publications)

Disclosure policies and Guidelines


News articles



Blog entries

Selected messages from discussion lists

Selected threads from newsgroup discussions

Selected threads from bulletinboards


Other resources