25th USENIX Security Symposium has ended
Back To Schedule
Friday, August 12 • 3:00pm - 3:30pm
You've Got Vulnerability: Exploring Effective Vulnerability Notifications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy. The vulnerabilities used to drive our study span a range of protocols and considerations: exposure of industrial control systems; apparent firewall omissions for IPv6-based services; and exploitation of local systems in DDoS amplification attacks. We monitored vulnerable systems for several weeks to determine their rate of remediation. By comparing with experimental controls, we analyze the impact of a number of variables: choice of party to contact (WHOIS abuse contacts versus national CERTs versus US-CERT), message verbosity, hosting an information website linked to in the message, and translating the message into the notified party’s local language. We also assess the outcome of the emailing process itself (bounces, automated replies, human replies, silence) and characterize the sentiments and perspectives expressed in both the human replies and an optional anonymous survey that accompanied our notifications.

We find that various notification regimens do result in different outcomes. The best observed process was directly notifying WHOIS contacts with detailed information in the message itself. These notifications had a statistically significant impact on improving remediation, and human replies were largely positive. However, the majority of notified contacts did not take action, and even when they did, remediation was often only partial. Repeat notifications did not further patching. These results are promising but ultimately modest, behooving the security community to more deeply investigate ways to improve the effectiveness of vulnerability notifications.


Michael Bailey

University of Illinois, Urbana-Champaign
Michael Bailey is an associate professor of electrical and computer engineering. His research interests lie in the areas of the security and availability of complex distributed systems. His work informs both the development of such systems as well as the sciences of computer security... Read More →

Zakir Durumeric

University of Michigan, Ann Arbor

Frank Li

UC Berkeley

Prof. Damon McCoy

New York University

Stefan Savage


Friday August 12, 2016 3:00pm - 3:30pm PDT
Zilker Ballroom 2