Weulen Kranenbarg et al. Crime Sci (2018) 7:16 https://doi.org/10.1186/s40163-018-0090-8 THEORETICAL ARTICLE Open Access Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure Marleen Weulen Kranenbarg1* , Thomas J. Holt2 and Jeroen van der Ham3 Abstract In the computer science feld coordinated vulnerability disclosure is a well-known practice for fnding faws in IT- systems and patching them. In this practice, a white-hat hacker who fnds a vulnerability in an IT-system reports that vulnerability to the system’s owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential ofenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could infuence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on diferent motives, a rational choice or cost–beneft analyses of the possible reactions after fnding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included. Keywords: Coordinated vulnerability disclosure, Responsible disclosure, Interdisciplinary, Bug bounty, Rational choice theory, Criminal motives, Hacking, Cybercrime Introduction mediation, (3) report the faw publicly, (4) keep this infor- Computer hardware and software products are designed mation private so that it can be used for attack, either by to be as user-friendly as is possible, trading security for the person who identifed the vulnerability, or by sell- usability in some cases (Newman and Clarke 2003; Van ing the vulnerability to someone else at an underground Schaik et al. 2017). Consequently, enterprising secu- market. rity researchers and criminal hackers may identify faws Public reporting on vulnerabilities has evolved over the within computer devices in order to make them oper- last 30 years, refecting shifts in the dynamics between ate in unintended ways (Jordan and Taylor 1998; Tay- security organizations and the hacker community. Ini- lor 1999). Tese faws are commonly referred to as tially many security researchers tried to shame vendors vulnerabilities, as they enable an attacker to gain access by disclosing all details as soon as the vulnerability is to computer systems and data for malicious use. When discovered. Such a move would enable attackers to use an individual identifes a vulnerability, they basically the vulnerability to compromise systems before they can have four options: (1) do nothing about it, (2) report the be corrected. In the last few years, reporting has tended faw to the vendor or a related security organization for more towards coordinated disclosure, where a researcher privately contacts a vendor to resolve the vulnerability before going public with his fndings. Additionally, there *Correspondence: [email protected] has been an increase in “bug bounties” where a person 1 Department of Criminology, Faculty of Law, Vrije Universiteit (VU) Amsterdam, De Boelelaan 1105, 1081 HV Amsterdam, The Netherlands is paid for vulnerability disclosures by security vendors Full list of author information is available at the end of the article (NTIA 2016). © The Author(s) 2018. This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creat​iveco​mmons​.org/licen​ses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Weulen Kranenbarg et al. Crime Sci (2018) 7:16 Page 2 of 9 Te general term that will be used in this article to refer of the criminal path? And lastly, which empirical research to vulnerability disclosures is coordinated vulnerability questions should be addressed to further inform us about disclosure (CVD). In general, CVD is a practice in which these questions? In this paper, we will shed light on these a hacker who fnds a vulnerability in an IT-system reports questions from both a computer science and criminologi- that vulnerability to the system’s owner. Te owner will cal perspective. then resolve the problem, after which the vulnerabil- ity can be disclosed publicly. In order to prevent crimi- Coordinated vulnerability disclosure nal use of the vulnerability, it is key that the hacker does Te Netherlands was one of the frst countries to legally not share or publicly disclose the vulnerability before the recognize the practice of CVD policies. At the time it was problem has been fxed. Te details and diferent CVD- called responsible disclosure. Te need for a formal pol- forms will be discussed later in this paper. Te overarch- icy on vulnerability disclosure arose as a result of some ing goal of having a CVD policy is to make IT-systems cases that were reported in Dutch media, in which it more secure and prevent the criminal use of vulnerabili- was unclear if a hacker acted responsibly or if the hacker ties in IT-systems (ISO/IEC 2014; NCSC 2013; NTIA crossed a line and acted criminal (Van’t Hof 2016). Tere- 2016). fore, in 2013 the NCSC of Te Netherlands published Te Netherlands is one of the few countries in the world guidelines for responsible disclosure policies. Later the with ofcial guidelines for vulnerability disclosure. In term “responsible” has been deemed too loaded; the 2013, the Dutch National Cyber Security Centre (NCSC) new term “coordinated” conveys that CVD is a process introduced a guideline for Responsible Disclosure (NCSC between two equal participants. Coordinated vulnerabil- 2013). Tis document provided guidelines for the vulner- ity disclosure is now used nationally and internationally. ability disclosure process both from the researchers as Te vulnerability disclosure process is described in the well as organizational point of view. Te Dutch Public guidelines for disclosure of potential vulnerabilities in Prosecutor has ofcially endorsed this guideline and has products and online services (the ISO/IEC 29147:2014) taken elements of it as a decision framework for when to of the International Organization for Standardization prosecute (Public Prosecution Service 2013). Since 2013, (ISO) and the International Electrotechnical Commission there have been many successful CVD-cases, ranging (IEC), see ISO/IEC (2014). from large disclosures by academic researchers to small In order to look at CVD from a criminological perspec- disclosures that lead to confgurational changes (NCSC tive, it is frst necessary to discuss all aspects of CVD as it 2017). Tere have been several cases where a discloser arose from computer science. Te main goal of an estab- even ended up with a job at the vulnerable organization, lished CVD policy is to invite white-hat hackers to report but also cases with successful prosecution when the dis- any vulnerabilities they fnd in an IT-system to its owner. closer went too far (Van’t Hof 2016). Last year the US Tey should also not discuss the vulnerability with any- guidelines have been published (Department of Justice one else or disclose it publicly somewhere. In this way, 2017), but for the sake of clarity the focus of this paper the vulnerability is likely only known to the owner and will be on the Dutch guidelines. the discloser, which means that the exploitation risk of Te overarching goal of CVD shows a focus on the vic- that vulnerability is minimized. Te owner will then try tim side and data-breach prevention and other victimiza- to mitigate the vulnerability as soon as possible, ideally tion types. Tis makes sense as the CVD policy originates in consultation with the discloser. After the vulnerability from the computer science feld, which generally focuses has been fxed, the discloser and owner will decide if and on making IT-systems more secure. CVD policies also how it should be disclosed to the public (ISO/IEC 2014; seem to target so-called white-hat or ethical hackers. NCSC 2013; NTIA 2016). Criminological inquiries, however, focus on the ofenders Tis policy is benefcial for the IT-systems’ owners, as engaged in criminal hacks and misuse of vulnerabilities they will learn about their vulnerabilities and potentially (for a review see Holt and Bossler 2016). improve their security posture. Tis policy provides some So, what can we learn from a combined computer sci- certainty for both parties, especially the disclosers who ence and criminological perspective on CVD? What are may have committed a crime by fnding the vulnerabil- the key requirements for a successful CVD policy and ity. As long as the discloser abides by the policy’s terms, how do these relate to criminological explanations for the IT-system’s owner should generally not report their criminal hacking? What are the main problems with cur- actions to the police. In this way both parties collaborate rent CVD policies and how do these relate to ethical and in their common goal to improve cybersecurity (NCSC criminal use of vulnerabilities? Will a CVD policy mainly 2013). It should be noted, that currently there is no guar- work for white-hat or ethical hackers or can we expect it antee that the public prosecutor will not prosecute a dis- to help potential ofenders to choose the ethical instead closer for any crimes that have been committed. Weulen Kranenbarg et al. Crime Sci (2018) 7:16 Page 3 of 9 Representative information about the type and amount should be discussed in order to understand the possible of vulnerabilities that are disclosed by using CVD is not problems of these policies in preventing crime on both available. Nevertheless, some descriptive information the victim and the ofender side.