Page History

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a48ec5b2-b42b-4265-a7ef-aedc2468e34e"><ac:plain-text-body><![CDATA[

[1]

B. Cancilla, "Return of the Browser Wars," August 2004. [Online]. Available: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Return-of-the-Browser-Wars/. [Accessed 17 May 2017].

[2]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9015613a-e544-426b-b2b6-eca78b13787f"><ac:plain-text-body><![CDATA[

[2]

A. Manion, "Vulnerability Note VU#713878 Microsoft Internet Explorer does not properly validate source of redirected frame," CERT/CC, 9 June 2004. [Online]. Available: https://www.kb.cert.org/vuls/id/713878. [Accessed 17 May 2017].

[3]

Oxford Living Dictionaries (English), "process," A. Manion, "Vulnerability Note VU#713878 Microsoft Internet Explorer does not properly validate source of redirected frame," CERT/CC, 9 June 2004. [Online]. Available: https://wwwen.kboxforddictionaries.cert.orgcom/vulsdefinition/id/713878process. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1212f574-f6c8-4604-831c-9d12bdad331b"><ac:plain-text-body><![CDATA[

[3]

Oxford Living Dictionaries (English), "process," [Online]. Available: https://en.oxforddictionaries.com/definition/process. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d7efe439-cbed-4b30-bcee-0c89cedd3e2e"><ac:plain-text-body><![CDATA[

[4]

Kissel, Richard (Editor), "NISTIR 7298 Revision 2 Glossary of Key Information Security Terms," U.S. Department of Commerce, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1011985a-103f-4887-9061-71519010ba9a"><ac:plain-text-body><![CDATA[

[5]

R. Caralli, J. H. Allen and D. W. White, CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience, Addison-Wesley Professional, 2010.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c52cc57a-93ab-4e17-9ab4-c607d33566ca"><ac:plain-text-body><![CDATA[

[6]

A. Shostack, Threat modeling: Designing for Security, John Wiley & Sons, 2014.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f3f4ec01-e50c-4295-9148-2ccd27708ff8"><ac:plain-text-body><![CDATA[

[7]

F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, 2004.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bd93e852-98f0-427b-9340-de358d1ed072"><ac:plain-text-body><![CDATA[

[8]

R. C. Seacord, The CERT C Secure Coding Standard, Pearson Education, 2008.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7192bc4a-2942-4975-a2e4-b4ef11cffda3"><ac:plain-text-body><![CDATA[

[9]

F. Long, D. Mohindra, R. C. Seacord and D. a. S. D. Sutherland, The CERT Oracle Secure Coding Standard for Java, Addison-Wesley Professional, 2011.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9367fa6f-99d5-48cf-baac-b97f819bcef0"><ac:plain-text-body><![CDATA[

[10]

G. McGraw, Software Security: Building Security In, Addison-Wesley Professional, 2006.

]]></ac:plain-text-body></ac:structured-macro>

[4]

Kissel, Richard (Editor), "NISTIR 7298 Revision 2 Glossary of Key Information Security Terms," U.S. Department of Commerce, 2013.

[5]

R. Caralli, J. H. Allen and D. W. White, CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience, Addison-Wesley Professional, 2010.

[6]

A. Shostack, Threat modeling: Designing for Security, John Wiley & Sons, 2014.

[7]

F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, 2004.

[8]

R. C. Seacord, The CERT C Secure Coding Standard, Pearson Education, 2008.

[9]

F. Long, D. Mohindra, R. C. Seacord and D. a. S. D. Sutherland, The CERT Oracle Secure Coding Standard for Java, Addison-Wesley Professional, 2011.

[10]

G. McGraw, Software Security: Building Security In, Addison-Wesley Professional, 2006.

[11]

G. Peterson, P. Hope and S. Lavenhar, "Architectural Risk Analysis," 2 July 2013. [Online]. Available: https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis. [Accessed 23 May 2017].

[12]

J. Ryoo, R. Kazman and P. Anand, "Architectural Analysis for Security," IEEE Security & Privacy, vol. 13, no. 6, pp. 52-59, 2015.

[13]

A. Householder, "Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit," CERT, 7 July 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/07/like-nailing-jelly-to-the-wall-difficulties-in-defining-zero-day-exploit.html. [Accessed 23 May 2017].

[14]

MITRE, "Common Vulnerabilities and Exposures," [Online]. Available: https://cve.mitre.org/. [Accessed 16 May 2017].

[15]

CERT/CC, "Vulnerability Notes Database," [Online]. Available: https://www.kb.cert.org/vuls. [Accessed 16 May 2017].

[16]

SecurityFocus, "Vulnerabilities," [Online]. Available: http://www.securityfocus.com/bid. [Accessed 23 May 2017].

[17]

ISO/IEC, "ISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure," 2014.

[18]

S. Christey and C. Wysopal, "Responsible Vulnerability Disclosure Process draft-christey-wysopal-vuln-disclosure-00.txt," February 2002. [Online]. Available: https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00. [Accessed 17 May 2017].

[19]

MSRC Ecosystem Strategy Team, "Coordinated Vulnerability Disclosure: Bringing Balance to the Force," 22 July 2010. [Online]. Available: https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/. [Accessed 23 May 2017].

[20]

Microsoft Security Response Center, "Coordinated Vulnerability Disclosure," Microsoft, [Online]. Available: https://technet.microsoft.com/en-us/security/dn467923.aspx. [Accessed 23 May 2017].

[21]

M. Souppaya and K. Scarfone, "NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies," U.S. Department of Commerce, 2013.

[22]

A. Arora, A. Nandkumar and R. Telang, "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, vol. 8, no. 5, pp. 350-362, 2006.

[23]

FIRST, "Forum for Incident Response and Security Teams," [

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="956d1579-3a33-4c3e-ae20-31e02962e954"><ac:plain-text-body><![CDATA[

[11]

G. Peterson, P. Hope and S. Lavenhar, "Architectural Risk Analysis," 2 July 2013. [Online]. Available: https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis. [Accessed 23 .first.org/. [Accessed 17 May 2017].

[24]

FIRST, "Vulnerability Coordination SIG," [Online]. Available: https://www.first.org/global/sigs/vulnerability-coordination. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dc4607b9-2d81-49d5-a4cb-2cc0bff2be43"><ac:plain-text-body><![CDATA[

[12]

J. Ryoo, R. Kazman and P. Anand, "Architectural Analysis for Security," IEEE Security & Privacy, vol. 13, no. 6, pp. 52-59, 2015.

]]></ac:plain-text-body></ac:structured-macro>

[25]

National Telecommunications and Information Administration, "Multistakeholder Process: Cybersecurity Vulnerabilities," 15 December 2016. [Online]. Available: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities. [Accessed 17 May 2017].

[26]

Harm Reduction Coalition, "Principles of Harm Reduction," [Online]. Available: http://harmreduction.org/about-us/principles-of-harm-reduction/. [Accessed 23 May 2017].

[27]

Harm Reduction Coalition, "What is harm reduction?" [Online]. Available: https://www.hri.global/what-is-harm-reduction. [Accessed 23 May 2017].

[28]

A. Householder, "Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats," August

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ce83ac4d-238c-4996-b783-2fb807a98b28"><ac:plain-text-body><![CDATA[

[13]

A. Householder, "Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit," CERT, 7 July 2015. [Online]. Available: https://insightsresources.sei.cmu.edu/cert/2015/07/like-nailing-jelly-to-the-wall-difficulties-in-defining-zero-day-exploit.html. [Accessed 23 library/asset-view.cfm?assetid=442528. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5311c035-0fc1-455d-b9ad-5ea69c83a3c7"><ac:plain-text-body><![CDATA[

[29]

I Am The Cavalry, "5 Motivations of Security Researchers

[14]

MITRE, "Common Vulnerabilities and Exposures," [Online]. Available: https://cvewww.mitreiamthecavalry.org/motivations/. [Accessed 16 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b1ed7482-0547-4558-a4c2-6992b4eed782"><ac:plain-text-body><![CDATA[

[15]

[30]

NTIA Awareness and Adoption Working Group, "Vulnerability Disclosure Attitudes and Actions: A Research Report from the NTIA Awareness and Adoption Group," 15 December 2016. CERT/CC, "Vulnerability Notes Database," [Online]. Available: https://www.kbntia.cert.org/vulsdoc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf. [Accessed 16 May 6 June 2017].

[31]

FIRST, "Ethics SIG

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="deb3e317-e6ed-4e6e-95e0-be2a331e6853"><ac:plain-text-body><![CDATA[

[16]

SecurityFocus, "Vulnerabilities," [Online]. Available: httphttps://www.securityfocus.com/bidfirst.org/global/sigs/ethics. [Accessed 23 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="15241d04-b4a0-42b3-8058-872627e90c88"><ac:plain-text-body><![CDATA[

[17]

ISO/IEC, "ISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure," 2014.

]]></ac:plain-text-body></ac:structured-macro>

[32]

Association for Computing Machinery, "ACM Code of Ethics and Professional Conduct," 16 October 1992. [Online]. Available: https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct. [Accessed 17 May 2017].

[33]

USENIX, "System Administrators' Code of Ethics," 30 September 2003. [Online]. Available: https://www.usenix.org/system-administrators-code-ethics. [Accessed 17 May 2017].

[34]

American Press Institute, "What is the purpose of journalism?" [Online]. Available: https://www.americanpressinstitute.org/journalism-essentials/what-is-journalism/purpose-journalism/. [Accessed 17 May 2017].

[35]

Society of Professional Journalists, "SPJ Code of Ethics," 6 September 2014

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a0f4e943-fa80-4447-8ce9-b5e363a209a5"><ac:plain-text-body><![CDATA[

[18]

S. Christey and C. Wysopal, "Responsible Vulnerability Disclosure Process draft-christey-wysopal-vuln-disclosure-00.txt," February 2002. [Online]. Available: https://toolswww.ietfspj.org/html/draft-christey-wysopal-vuln-disclosure-00ethicscode.asp. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="518c2f93-96f3-49cd-b172-051d37de6064"><ac:plain-text-body><![CDATA[

[36]

A. Ozment and S. E. Schechter, "Milk or wine: Does software security improve with age?" in USENIX Security, 2006.

[37]

K. Matsudaira, "Bad Software Architecture Is a People Problem," Communications of the ACM, vol. 59, no. 9, pp. 42-43, September 2016.

[38]

J. M. Wing, "A Symbiotic Relationship Between Formal Methods and Security," in Proceedings of the Conference on Computer Security, Dependability and Assurance: From Needs to Solutions, 1998.

[39]

E. Bobukh, "Equation of a Fuzzing Curve — Part 1/2," 18 December 2014. [Online]. Available: https://blogs.msdn.microsoft.com/eugene_bobukh/2014/12/18/equation-of-a-fuzzing-curve-part-12

[19]

MSRC Ecosystem Strategy Team, "Coordinated Vulnerability Disclosure: Bringing Balance to the Force," 22 July 2010. [Online]. Available: https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="61dbdb77-c17b-4e82-a686-043ea1c3e538"><ac:plain-text-body><![CDATA[

[40]

E. Bobukh, "Equation of a Fuzzing Curve — Part 2/2," 6 January 2015.

[20]

Microsoft Security Response Center, "Coordinated Vulnerability Disclosure," Microsoft, [Online]. Available: https://technetblogs.msdn.microsoft.com/en-us/security/dn467923.aspx. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a9022d2b-9256-40ae-b7aa-62be6a460dc0"><ac:plain-text-body><![CDATA[

[21]

M. Souppaya and K. Scarfone, "NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies," U.S. Department of Commerce, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="da27c942-2855-402a-aab0-ce44192f4623"><ac:plain-text-body><![CDATA[

[22]

A. Arora, A. Nandkumar and R. Telang, "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, vol. 8, no. 5, pp. 350-362, 2006.

]]></ac:plain-text-body></ac:structured-macro>

/eugene_bobukh/2015/01/06/equation-of-a-fuzzing-curve-part-22/. [Accessed 23 May 2017].

[41]

H. W. Rittel and M. M. Webber, "Dilemmas in a General Theory of Planning," Policy Sciences, vol. 4, no. 1973, pp. 155-169, June 1973.

[42]

BBC, "Xbox password flaw exposed by five-year-old boy," 4 April 2014. [Online]. Available: http://www.bbc.com/news/technology-26879185. [Accessed 16 May 2017].

[43]

Microsoft, "What is the Security Development Lifecycle?" [Online]. Available: https://www.microsoft.com/en-us/sdl/. [Accessed 16 May 2017].

[44]

BSIMM, "BSIMM Framework," [Online]. Available: https://www.bsimm.com/framework/. [Accessed 16 May 2017].

[45]

ISO/IEC, "ISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes," 2013.

[46]

Microsoft, "Microsoft Security Response Center

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="736b9d22-abc8-443a-a062-3a18b6fd1e14"><ac:plain-text-body><![CDATA[

[23]

FIRST, "Forum for Incident Response and Security Teams," [Online]. Available: https://wwwtechnet.first.org/. [Accessed 17 microsoft.com/en-us/security/dn440717.aspx. [Accessed 23 May 2017].

[47]]></ac:plain-text-body></ac:structured-macro>

Cisco Systems, "Security Vulnerability Policy," [Online]. Available: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html. [Accessed 23 May 2017].

[48]

FIRST, "FIRST Teams

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="caf48fe8-cfb1-4781-9532-eb9be35f3c4a"><ac:plain-text-body><![CDATA[

[24]

FIRST, "Vulnerability Coordination SIG," [Online]. Available: https://www.first.org/global/sigs/vulnerability-coordinationmembers/teams. [Accessed 17 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2277350c-c426-44a9-af17-538271d898f3"><ac:plain-text-body><![CDATA[

[25]

[49]

CERT Division, "CSIRT Frequently Asked Questions (FAQ)," Software Engineering Institute, National Telecommunications and Information Administration, "Multistakeholder Process: Cybersecurity Vulnerabilities," 15 December 2016. [Online]. Available: https://www.ntiacert.doc.govorg/otherincident-publicationmanagement/2016csirt-development/multistakeholder-process-cybersecurity-vulnerabilities. csirt-faq.cfm? [Accessed 17 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[50]

CERT Division, "Incident Management: Resources for National CSIRTs," Software Engineering Institute,

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bf23123b-f4e0-4324-acc0-50f292441d71"><ac:plain-text-body><![CDATA[

[26]

Harm Reduction Coalition, "Principles of Harm Reduction," [Online]. Available: httphttps://harmreductionwww.cert.org/aboutincident-usmanagement/principles-of-harm-reduction/. [Accessed 23 national-csirts/index.cfm. [Accessed 16 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6a7f5c6-359e-4ca5-a727-7366870ed18f"><ac:plain-text-body><![CDATA[

[27]

[51]

CERT, "List of National CSIRTs,Harm Reduction Coalition, "What is harm reduction?" [Online]. Available: https://www.hricert.globalorg/whatincident-is-harm-reductionmanagement/national-csirts/national-csirts.cfm. [Accessed 23 May 2017].

[52]

BugCrowd, "BugCrowd," [Online]. Available: https://bugcrowd.com/. [Accessed 23 May 2017].

[53]

HackerOne, "HackerOne,"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5f33efa6-d84a-48cf-8823-91fc81326e11"><ac:plain-text-body><![CDATA[

[28]

A. Householder, "Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats," August 2015. [Online]. Available: https://resourceswww.sei.cmu.edu/library/asset-view.cfm?assetid=442528hackerone.com. [Accessed 17 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="edc15d31-5600-44d8-b5b1-a36f23089bed"><ac:plain-text-body><![CDATA[

[54]

SynAck, "SynAck

[29]

I Am The Cavalry, "5 Motivations of Security Researchers," [Online]. Available: https://www.iamthecavalry.org/motivations/synack.com. [Accessed 17 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[55]

Cobalt Labs Inc., "Cobalt," [Online]. Available: https://cobalt.io/. [Accessed 23 May 2017].

[56]

CERT, "Vulnerability Analysis,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a0bee05c-fa23-4e2a-b4cf-f9c394e83225"><ac:plain-text-body><![CDATA[

[30]

NTIA Awareness and Adoption Working Group, "Vulnerability Disclosure Attitudes and Actions: A Research Report from the NTIA Awareness and Adoption Group," 15 December 2016. [Online]. Available: https://www.ntiacert.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf. [Accessed 6 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2c32fbd8-a7a3-4679-ad2d-d1134b506f33"><ac:plain-text-body><![CDATA[

org/vulnerability-analysis/. [Accessed 23 May 2017].

[57]

National Cyber Security Centre Netherlands, "NCSC-NL," [Online]. Available: https://www.ncsc.nl/english. [Accessed 23 May 2017].

[58]

NCSC-FI, "Finnish Communications Regulatory Authority / National Cyber Security Centre Finland," [Online]. Available: https://www.viestintavirasto.fi/en/cybersecurity.html.

[59]

JPCERT/CC, "Japan Computer Emergency Response Team Coordination Center

[31]

FIRST, "Ethics SIG," [Online]. Available: https://www.jpcert.firstor.orgjp/globalenglish/sigs/ethics. [Accessed 17 16 May 2017].

[60]]></ac:plain-text-body></ac:structured-macro>

U.S. Department of Homeland Security, "Information Sharing and Analysis Organizations (ISAOs)," [Online]. Available: https://www.dhs.gov/isao. [Accessed 23 May 2017].

[61]

National Council of ISACs, "National Council of ISACs,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fe9a21b9-6944-44af-a474-2cff99e5b687"><ac:plain-text-body><![CDATA[

[32]

Association for Computing Machinery, "ACM Code of Ethics and Professional Conduct," 16 October 1992. [Online]. Available: https://www.acmnationalisacs.org/about-acm/acm-code-of-ethics-and-professional-conduct. [Accessed 17 23 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c5ad7e98-1e3b-4a6e-842f-eb91ba298210"><ac:plain-text-body><![CDATA[

[33]

[62]

W. Dormann, "Supporting the Android Ecosystem," 19 October 2015USENIX, "System Administrators' Code of Ethics," 30 September 2003. [Online]. Available: https://wwwinsights.sei.usenix.org/system-administrators-code-ethicscmu.edu/cert/2015/10/supporting-the-android-ecosystem.html. [Accessed 17 23 May 2017].]]></ac:plain-text-body></ac:structured-macro>

[63]

U.S. Food & Drug Administration, "Medical Device Reporting (MDR),

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a1148a3-de45-451a-9f45-2393f0dc5fc8"><ac:plain-text-body><![CDATA[

[34]

American Press Institute, "What is the purpose of journalism?" [Online]. Available: https://www.americanpressinstitutefda.org/journalism-essentials/what-is-journalism/purpose-journalismgov/medicaldevices/safety/reportaproblem/. [Accessed 17 23 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="665bc6ee-f571-4aa9-a913-38df42522f1b"><ac:plain-text-body><![CDATA[

[64]

National Highway Traffic Safety Administration, "File a Vehicle Safety Complaint,"

[35]

Society of Professional Journalists, "SPJ Code of Ethics," 6 September 2014. [Online]. Available: https://www-odi.spj.org/ethicscode.asp. [Accessed 17 nhtsa.dot.gov/VehicleComplaint/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="288d5038-eec2-4690-ac0b-8baa3892df1f"><ac:plain-text-body><![CDATA[

[36]

A. Ozment and S. E. Schechter, "Milk or wine: Does software security improve with age?" in USENIX Security, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6de96c42-5a3b-487e-9967-d506c45ec178"><ac:plain-text-body><![CDATA[

[37]

K. Matsudaira, "Bad Software Architecture Is a People Problem," Communications of the ACM, vol. 59, no. 9, pp. 42-43, September 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6340185-47bb-4904-a2a9-2eb8857af64d"><ac:plain-text-body><![CDATA[

[38]

J. M. Wing, "A Symbiotic Relationship Between Formal Methods and Security," in Proceedings of the Conference on Computer Security, Dependability and Assurance: From Needs to Solutions, 1998.

]]></ac:plain-text-body></ac:structured-macro>

[65]

Federal Aviation Administration, "Report Safety Issues," [Online]. Available: https://www.faa.gov/aircraft/safety/report/. [Accessed 23 May 2017].

[66]

NASA Office of the Chief Engineer, "NASA Lessons Learned," NASA Lessons Learned Steering Committee (LLSC), [Online]. Available: https://www.nasa.gov/offices/oce/functions/lessons/index.html. [Accessed 16 May 2017].

[67]

European Commission, "Dual Use Controls: Commission proposes to modernise and strengthen controls on exports of dual-use items," 28 September 2016. [Online]. Available: http://europa.eu/rapid/press-release_IP-16-3190_en.htm. [Accessed 23 May 2017].

[68]

FIRST, "Vulnerability Database Catalog," FIRST VRDX SIG, 17 March 2016. [Online]. Available: https://www.first.org/global/sigs/vrdx/vdb-catalog. [Accessed 16 May 2017].

[69]

J. T. Chambers and J. W. Thompson, "National Infrastructure Advisory Council Vulnerability Disclosure Framework Final Report and Recommendations by the Council," 13 January 2004. [Online]. Available: https://www.dhs.gov/xlibrary/assets/vdwgreport.pdf. [Accessed 17 May 2017].

[70]

J. C. Knight, "Safety critical systems: challenges and directions," in ICSE '02 Proceedings of the 24th International Conference on Software Engineering, Orlando, 2002.

[71]

U.S. Department of Health & Human Services, "Health Information Privacy,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="107e3df2-d64c-44a7-ae82-3f4664921253"><ac:plain-text-body><![CDATA[

[39]

E. Bobukh, "Equation of a Fuzzing Curve — Part 1/2," 18 December 2014. [Online]. Available: https://blogswww.msdnhhs.microsoft.com/eugene_bobukh/2014/12/18/equation-of-a-fuzzing-curve-part-12gov/hipaa/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c7742f1c-fe3e-4d6a-bfdb-40c7404bbba5"><ac:plain-text-body><![CDATA[

[40]

[72]

U.S. Department of Education, "Family Educational Rights and Privacy Act (FERPA)," E. Bobukh, "Equation of a Fuzzing Curve — Part 2/2," 6 January 2015. [Online]. Available: https://blogs.msdn.microsoft.com/eugene_bobukh/2015/01/06/equation-of-a-fuzzing-curve-part-22/. [ed.gov/policy/gen/guid/fpco/ferpa/index.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="67e1a88a-c5b8-4e69-933e-d9b6b3fc91e6"><ac:plain-text-body><![CDATA[

[41]

H. W. Rittel and M. M. Webber, "Dilemmas in a General Theory of Planning," Policy Sciences, vol. 4, no. 1973, pp. 155-169, June 1973.

]]></ac:plain-text-body></ac:structured-macro>

[73]

Federal Trade Commission, "Children's Online Privacy Protection Rule ("COPPA")," [Online]. Available: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule. [Accessed 23 May 2017].

[74]

PCI Security Standards Council, "PCI Security," [Online]. Available: https://www.pcisecuritystandards.org/pci_security/. [Accessed 23 May 2017].

[75]

Electronic Frontier Foundation, "Coders' Rights Project Vulnerability Reporting FAQ," [Online]. Available: https://www.eff.org/issues/coders/vulnerability-reporting-faq. [Accessed 17 May 2017].

[76]

K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aea10259-3feb-4f03-a696-18d3edfe53ea"><ac:plain-text-body><![CDATA[

[42]

BBC, "Xbox password flaw exposed by five-year-old boy," 4 April 2014. [Online]. Available: httphttps://wwwforum.bbcbugcrowd.com/newst/technology-26879185. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7c331e06-19d5-48ec-bd9f-dbb166702983"><ac:plain-text-body><![CDATA[

writing-a-bug-report-attack-scenario-and-impact-are-key/640. [Accessed 17 May 2017].

[77]

MITRE, "Common Weakness Enumeration (CWE),

[43]

Microsoft, "What is the Security Development Lifecycle?" [Online]. Available: https://wwwcwe.microsoftmitre.com/en-us/sdl/. [Accessed 16 org/. [Accessed 17 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd68d753-5156-4202-8b17-5ebf092130c6"><ac:plain-text-body><![CDATA[

[78]

MITRE, "Common Attack Pattern Enumeration and Classification

[44]

BSIMM, "BSIMM Framework," [Online]. Available: https://wwwcapec.bsimmmitre.comorg/framework/. [Accessed 16 17 May 2017].

[79]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c9688eb3-812f-4eb8-936c-00175da5d1e5"><ac:plain-text-body><![CDATA[

[45]

ISO/IEC, "ISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes," 2013.

]]></ac:plain-text-body></ac:structured-macro>

CERT/CC, "Vulnerability Reporting Form," [Online]. Available: https://vulcoord.cert.org/VulReport/. [Accessed 17 May 2017].

[80]

FIRST, "Common Vulnerability Scoring System," [Online]. Available: https://www.first.org/cvss. [Accessed 17 May 2017].

[81]

MITRE, "Common Weakness Scoring System (CWSS) version 1.0.1," 5 September 2014.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5ffd9ad3-3360-4d3d-a822-5f616afb801b"><ac:plain-text-body><![CDATA[

[46]

Microsoft, "Microsoft Security Response Center," [Online]. Available: https://technetcwe.microsoftmitre.comorg/en-us/security/dn440717.aspxcwss/cwss_v1.0.1.html. [Accessed 23 17 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b4eb2754-551b-4703-8297-d2b2d7d79ab5"><ac:plain-text-body><![CDATA[

[82]

Security Focus, "BugTraq Archive

[47]

Cisco Systems, "Security Vulnerability Policy," [Online]. Available: httpshttp://www.ciscosecurityfocus.com/c/en/us/about/security-center/security-vulnerability-policy.html. archive/1. [Accessed 23 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f6f34807-59b6-482b-bf35-bf0d4f70451f"><ac:plain-text-body><![CDATA[

[83]

Seclists.org, "Full Disclosure Mailing List

[48]

FIRST, "FIRST Teams," [Online]. Available: httpshttp://www.firstseclists.org/membersfulldisclosure/teams. [Accessed 16 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a473e0c9-0fb3-48d2-b6d0-166f11b29f1f"><ac:plain-text-body><![CDATA[

[84]

MITRE, "Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules Version 1.1," 16 September 2016.

[49]

CERT Division, "CSIRT Frequently Asked Questions (FAQ)," Software Engineering Institute, [Online]. Available: https://wwwcve.certmitre.org/incident-management/csirt-development/csirt-faq.cfm? cve/cna/CNA_Rules_v1.1.pdf. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2fbc8a8a-c282-4400-83f0-d3a5d75fadcf"><ac:plain-text-body><![CDATA[

[85]

J. Postel, "Internet Protocol (RFC 760)," 1980.

[86]

N. Brownlee and E. Guttman, "Expectations for Computer Security Incident Response," The Internet Society, 1998.

[87]

S. Shepherd, "Vulnerability Disclosure: How Do We Define Responsible Disclosure?" SANS GIAC SEC Practical Repository, 2003.

[88]

FIRST, "Multi-Party Coordination and Disclosure," [Online]. Available:

[50]

CERT Division, "Incident Management: Resources for National CSIRTs," Software Engineering Institute, [Online]. Available: https://www.certfirst.org/incident-management/national-csirts/index.cfm. [Accessed 16 May global/sigs/vulnerability-coordination/multiparty. [Accessed 6 June 2017].

[89]]></ac:plain-text-body></ac:structured-macro>

Codenomicon, "The Heartbleed Bug," 29 April 2014. [Online]. Available: http://heartbleed.com/. [Accessed 16 May 2017].

[90]

J. P. Lanza, "Vulnerability Note VU#484891 Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service," 26 July 2002.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8b26cb51-9ff5-4089-8799-8be270fc6688"><ac:plain-text-body><![CDATA[

[51]

CERT, "List of National CSIRTs," [Online]. Available: https://www.kb.cert.org/incident-management/national-csirts/national-csirts.cfmvuls/id/484891. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d92ceafc-235f-4981-9b6c-b115c8e66a31"><ac:plain-text-body><![CDATA[

[91]

W. Dormann, "Vulnerability Note VU#916896 Oracle Outside In 8.5.2 contains multiple stack buffer overflows," 20 January 2016.

[52]

BugCrowd, "BugCrowd," [Online]. Available: https://bugcrowd.com/www.kb.cert.org/vuls/id/916896. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="84ee1a8e-73ca-4607-bef9-7d9418e8beac"><ac:plain-text-body><![CDATA[

[53]

[92]

W. Dormann, "Vulnerability Note VU#582497 Multiple Android applications fail to properly validate SSL certificates," CERT/CC, 3 September 2014. HackerOne, "HackerOne," [Online]. Available: https://www.hackerone.comkb.cert.org/vuls/id/582497. [Accessed 23 16 May 2017].

[93]

W. Dormann, "Android apps that fail to validate SSL," 29 August 2014.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="027d1a45-0e50-4801-b713-e8024e02ae4d"><ac:plain-text-body><![CDATA[

[54]

SynAck, "SynAck," [Online]. Available: https://wwwdocs.synackgoogle.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4. [Accessed 23 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="800a3632-ef71-4ad1-a082-df0ef04c0309"><ac:plain-text-body><![CDATA[

[94]

University of Oulu, "PROTOS Test-Suite: c06-snmpv1," 2002. [

[55]

Cobalt Labs Inc., "Cobalt," [Online]. Available: https://cobalt.io/www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c06-snmpv1. [Accessed 23 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="daaa3c92-db09-4fbf-b9ad-1b84c8bd77cf"><ac:plain-text-body><![CDATA[

[56]

[95]

I. A. Finlay, S. V. Hernan, J. A. Rafail, C. Dougherty, A. D. Householder, M. Lindner and A. Manion, "Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)," CERT/CC, 12 February 2002. CERT, "Vulnerability Analysis," [Online]. Available: https://www.cert.org/historical/advisories/vulnerability-analysis/. [Accessed 23 CA-2002-03.cfm. [Accessed 16 May 2017].]]></ac:plain-text-body></ac:structured-macro>

[96]

I. A. Finlay, "Vulnerability Note VU#854306 Multiple vulnerabilities in SNMPv1 request handling," CERT/CC, 12 February 2002.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6455f29c-eb94-4eea-b4a1-84cb5418c278"><ac:plain-text-body><![CDATA[

[57]

National Cyber Security Centre Netherlands, "NCSC-NL," [Online]. Available: https://www.ncsc.nl/englishkb.cert.org/vuls/id/854306. [Accessed 23 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="242adadb-5ee1-4fb8-a765-79ef87bfdf80"><ac:plain-text-body><![CDATA[

[58]

NCSC-FI, "Finnish Communications Regulatory Authority / National Cyber Security Centre Finland," [Online]. Available: https://www.viestintavirasto.fi/en/cybersecurity.html.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="640bb9b3-c42e-48fe-aeb4-cc1a1a30ea9a"><ac:plain-text-body><![CDATA[

[59]

JPCERT/CC, "Japan Computer Emergency Response Team Coordination Center," [Online]. Available: https://www.jpcert.or.jp/english/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="abf82ab2-6169-4a51-b761-633a13a72c9b"><ac:plain-text-body><![CDATA[

[60]

U.S. Department of Homeland Security, "Information Sharing and Analysis Organizations (ISAOs)," [Online]. Available: https://www.dhs.gov/isao. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="67eaee14-b432-4489-bf5b-bbcaa88f1b9b"><ac:plain-text-body><![CDATA[

[61]

National Council of ISACs, "National Council of ISACs," [Online]. Available: https://www.nationalisacs.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ebd0751-af98-439a-8bd8-bffe43e48477"><ac:plain-text-body><![CDATA[

[62]

W. Dormann, "Supporting the Android Ecosystem," 19 October 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/10/supporting-the-android-ecosystem.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="86940a34-83f5-4252-8d81-d7f7cc89b2a7"><ac:plain-text-body><![CDATA[

[63]

U.S. Food & Drug Administration, "Medical Device Reporting (MDR)," [Online]. Available: https://www.fda.gov/medicaldevices/safety/reportaproblem/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9fa4247c-9cbb-4fc6-b1d2-023518e7c32e"><ac:plain-text-body><![CDATA[

[64]

National Highway Traffic Safety Administration, "File a Vehicle Safety Complaint," [Online]. Available: https://www-odi.nhtsa.dot.gov/VehicleComplaint/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e3975784-5c39-444d-bb6f-e72afa08af4b"><ac:plain-text-body><![CDATA[

[65]

Federal Aviation Administration, "Report Safety Issues," [Online]. Available: https://www.faa.gov/aircraft/safety/report/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b0eb20ba-fb65-489c-989c-24fdcf8d6ace"><ac:plain-text-body><![CDATA[

[66]

NASA Office of the Chief Engineer, "NASA Lessons Learned," NASA Lessons Learned Steering Committee (LLSC), [Online]. Available: https://www.nasa.gov/offices/oce/functions/lessons/index.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="607c0c96-ef63-4003-bf0a-4168411489c1"><ac:plain-text-body><![CDATA[

[67]

European Commission, "Dual Use Controls: Commission proposes to modernise and strengthen controls on exports of dual-use items," 28 September 2016. [Online]. Available: http://europa.eu/rapid/press-release_IP-16-3190_en.htm. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ea7522b-11db-430f-9143-7c00e0d20624"><ac:plain-text-body><![CDATA[

[68]

FIRST, "Vulnerability Database Catalog," FIRST VRDX SIG, 17 March 2016. [Online]. Available: https://www.first.org/global/sigs/vrdx/vdb-catalog. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="73412e35-7bea-47d1-bd30-4bdd817a851a"><ac:plain-text-body><![CDATA[

[69]

J. T. Chambers and J. W. Thompson, "National Infrastructure Advisory Council Vulnerability Disclosure Framework Final Report and Recommendations by the Council," 13 January 2004. [Online]. Available: https://www.dhs.gov/xlibrary/assets/vdwgreport.pdf. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6067c751-7fdc-48b8-a70e-420dbfea631d"><ac:plain-text-body><![CDATA[

[70]

J. C. Knight, "Safety critical systems: challenges and directions," in ICSE '02 Proceedings of the 24th International Conference on Software Engineering, Orlando, 2002.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5d947e1d-6149-4bd9-b292-bf1d0fa01dc2"><ac:plain-text-body><![CDATA[

[71]

U.S. Department of Health & Human Services, "Health Information Privacy," [Online]. Available: https://www.hhs.gov/hipaa/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76743252-405d-4cb5-bf73-902b0cac58f1"><ac:plain-text-body><![CDATA[

[72]

U.S. Department of Education, "Family Educational Rights and Privacy Act (FERPA)," [Online]. Available: https://ed.gov/policy/gen/guid/fpco/ferpa/index.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a09f27d2-b46e-4125-a01c-fdde7c3a4a2b"><ac:plain-text-body><![CDATA[

[73]

Federal Trade Commission, "Children's Online Privacy Protection Rule ("COPPA")," [Online]. Available: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae46aa8d-87d7-4d6a-af26-67e8313f8f25"><ac:plain-text-body><![CDATA[

[74]

PCI Security Standards Council, "PCI Security," [Online]. Available: https://www.pcisecuritystandards.org/pci_security/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5b52119e-f2b2-4b56-9ddd-ffd95def23d5"><ac:plain-text-body><![CDATA[

[75]

Electronic Frontier Foundation, "Coders' Rights Project Vulnerability Reporting FAQ," [Online]. Available: https://www.eff.org/issues/coders/vulnerability-reporting-faq. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c07b1397-4747-4f8e-91a2-54bd94f8f813"><ac:plain-text-body><![CDATA[

[76]

K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015. [Online]. Available: https://forum.bugcrowd.com/t/writing-a-bug-report-attack-scenario-and-impact-are-key/640. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="74cc1f51-701a-4cb7-90fc-5cba8e699176"><ac:plain-text-body><![CDATA[

[77]

MITRE, "Common Weakness Enumeration (CWE)," [Online]. Available: https://cwe.mitre.org/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="811e21a2-244c-467f-aed8-e55f9e9390b1"><ac:plain-text-body><![CDATA[

[78]

MITRE, "Common Attack Pattern Enumeration and Classification," [Online]. Available: https://capec.mitre.org/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3ec99577-9a5c-42f5-9a57-bd08e31db394"><ac:plain-text-body><![CDATA[

[79]

CERT/CC, "Vulnerability Reporting Form," [Online]. Available: https://vulcoord.cert.org/VulReport/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9df61c70-be8b-4898-9762-8a87f2db3a89"><ac:plain-text-body><![CDATA[

[80]

FIRST, "Common Vulnerability Scoring System," [Online]. Available: https://www.first.org/cvss. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c8923947-d022-41e8-944b-2be0df50f319"><ac:plain-text-body><![CDATA[

[81]

MITRE, "Common Weakness Scoring System (CWSS) version 1.0.1," 5 September 2014. [Online]. Available: https://cwe.mitre.org/cwss/cwss_v1.0.1.html. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7242de47-26e7-4357-93ed-46a95d233390"><ac:plain-text-body><![CDATA[

[82]

Security Focus, "BugTraq Archive," [Online]. Available: http://www.securityfocus.com/archive/1. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="43330a61-b192-4978-844a-99568c2f241d"><ac:plain-text-body><![CDATA[

[83]

Seclists.org, "Full Disclosure Mailing List," [Online]. Available: http://seclists.org/fulldisclosure/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ea232f3-1749-4b6f-94bb-1322d02f6c9c"><ac:plain-text-body><![CDATA[

[84]

MITRE, "Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules Version 1.1," 16 September 2016. [Online]. Available: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="185e8ed8-fe05-487a-89eb-b6e1c7446808"><ac:plain-text-body><![CDATA[

[85]

J. Postel, "Internet Protocol (RFC 760)," 1980.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d395a9c6-2d5b-48c9-9996-42ef16c3c711"><ac:plain-text-body><![CDATA[

[86]

N. Brownlee and E. Guttman, "Expectations for Computer Security Incident Response," The Internet Society, 1998.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0ac6f449-495f-42ce-a1ef-4d8debf8b9ca"><ac:plain-text-body><![CDATA[

[87]

S. Shepherd, "Vulnerability Disclosure: How Do We Define Responsible Disclosure?" SANS GIAC SEC Practical Repository, 2003.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6960e27-b25b-42f9-8de9-062eacd3b3c3"><ac:plain-text-body><![CDATA[

[88]

FIRST, "Multi-Party Coordination and Disclosure," [Online]. Available: https://www.first.org/global/sigs/vulnerability-coordination/multiparty. [Accessed 6 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5b923564-9ca5-45da-a684-5b15a6dbceb5"><ac:plain-text-body><![CDATA[

[89]

Codenomicon, "The Heartbleed Bug," 29 April 2014. [Online]. Available: http://heartbleed.com/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1307a895-35af-420d-9c7d-e21e97cbab11"><ac:plain-text-body><![CDATA[

[90]

J. P. Lanza, "Vulnerability Note VU#484891 Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service," 26 July 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/484891. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fa8c98f7-eb59-4134-b78e-a6c7aa9ba4c6"><ac:plain-text-body><![CDATA[

[91]

W. Dormann, "Vulnerability Note VU#916896 Oracle Outside In 8.5.2 contains multiple stack buffer overflows," 20 January 2016. [Online]. Available: https://www.kb.cert.org/vuls/id/916896. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8d0678d7-b168-4613-9a90-4be85ead0e5c"><ac:plain-text-body><![CDATA[

[92]

W. Dormann, "Vulnerability Note VU#582497 Multiple Android applications fail to properly validate SSL certificates," CERT/CC, 3 September 2014. [Online]. Available: https://www.kb.cert.org/vuls/id/582497. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3bcafbb-718c-4d5c-a06a-5d83879d206b"><ac:plain-text-body><![CDATA[

[93]

W. Dormann, "Android apps that fail to validate SSL," 29 August 2014. [Online]. Available: https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fdad01a5-40b1-4ab0-a08f-97bb86564337"><ac:plain-text-body><![CDATA[

[94]

University of Oulu, "PROTOS Test-Suite: c06-snmpv1," 2002. [Online]. Available: https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c06-snmpv1. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9c411f93-11f2-419c-8d30-ea6a44a5a208"><ac:plain-text-body><![CDATA[

[95]

I. A. Finlay, S. V. Hernan, J. A. Rafail, C. Dougherty, A. D. Householder, M. Lindner and A. Manion, "Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)," CERT/CC, 12 February 2002. [Online]. Available: https://www.cert.org/historical/advisories/CA-2002-03.cfm. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="43456553-f483-4d50-bc56-c7aa7f7d18b6"><ac:plain-text-body><![CDATA[

[96]

I. A. Finlay, "Vulnerability Note VU#854306 Multiple vulnerabilities in SNMPv1 request handling," CERT/CC, 12 February 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/854306. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="47a6914c-ab2e-494d-8f42-03742d3cbbe0"><ac:plain-text-body><![CDATA[

[97]

I. A. Finlay, "Vulnerability Note VU#107186 Multiple vulnerabilities in SNMPv1 trap handling," CERT/CC, 12 February 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/107186. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5533e0f2-bf5e-4b2f-974f-b82120f54bec"><ac:plain-text-body><![CDATA[

[98]

B. Stock, G. Pellegrino and C. Rossow, "Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification," in 25th USENIX Security Symposium, 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2f46a747-73de-47d7-b2ab-9776789500b2"><ac:plain-text-body><![CDATA[

[99]

R. M. Axelrod, The Evolution of Cooperation, Revised ed., Basic books, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f01ad78e-8c33-47e3-bfa1-a5403d871c66"><ac:plain-text-body><![CDATA[

[100]

D. R. Grimes, "On the Viability of Conspiratorial Beliefs," PLOS One, vol. 11, no. 1, p. e0147905, 26 January 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ec163f1b-6b57-4355-bb28-b555e411dac0"><ac:plain-text-body><![CDATA[

[101]

Black Hat, "Black Hat," [Online]. Available: https://www.blackhat.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0ceb4a75-7f7d-456f-8ec2-8236f22ba9c6"><ac:plain-text-body><![CDATA[

[102]

DEF CON, "DEF CON," [Online]. Available: https://www.defcon.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6e6ab251-63af-475b-b545-bc4c25944215"><ac:plain-text-body><![CDATA[

[103]

USENIX, "USENIX Security Conferences," [Online]. Available: https://www.usenix.org/conferences/byname/108. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f620712e-ed2c-4eb1-9662-9706b7aa3732"><ac:plain-text-body><![CDATA[

[104]

RSA, "RSA Conference," [Online]. Available: https://www.rsaconference.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="32e59c20-adcf-4b69-b856-9c51d934f3dd"><ac:plain-text-body><![CDATA[

[105]

CanSecWest, "CanSecWest Vancouver 2018," [Online]. Available: https://cansecwest.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7341f367-1849-4e31-a060-a28c7e756a6f"><ac:plain-text-body><![CDATA[

[106]

Federal Trade Commission, "ASUSTeK Computer Inc., In the Matter of," 28 July 2016. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/142-3156/asustek-computer-inc-matter. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76391ba8-37af-4c49-8661-adbaa017c316"><ac:plain-text-body><![CDATA[

[107]

Federal Trade Commission, "HTC America Inc., In the Matter of," 2 July 2013. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c51939bd-abf9-4537-bb3f-ddc53606b587"><ac:plain-text-body><![CDATA[

[108]

Federal Trade Commission, "Fandango, LLC," 19 August 2014. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="48ed4cf7-9825-4196-adf3-1c476c77d098"><ac:plain-text-body><![CDATA[

[109]

A. Askar, "Minecraft Vulnerability Advisory," 16 April 2015. [Online]. Available: http://blog.ammaraskar.com/minecraft-vulnerability-advisory/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="100e89b3-84dc-43f7-ae14-0418190c08cf"><ac:plain-text-body><![CDATA[

[110]

A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," in Workshop on Economics and Information Security, 2005.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f6dc72dc-5582-4dc3-b819-ef3a6bae9fbb"><ac:plain-text-body><![CDATA[

[111]

M. Finifter, D. Akhawe and D. Wagner, "An Empirical Study of Vulnerability Rewards Programs," in 22nd USENIX Security Symposium, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fdd319e9-b1d9-430c-932f-b5ebf8619861"><ac:plain-text-body><![CDATA[

[112]

L. Ablon and T. Bogart, "Zero Days, Thousands of Nights," RAND Corporation, 2017.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c64457c7-54f4-4e27-8b8d-d8ed89c6232e"><ac:plain-text-body><![CDATA[

[113]

T. Herr and B. Schneier, "Taking Stock: Estimating Vulnerability Rediscovery," 7 March 2017. [Online]. Available: https://ssrn.com/abstract=2928758. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7bd52316-f357-4fde-a15e-655b50ecc7ec"><ac:plain-text-body><![CDATA[

[114]

B. Grubb, "Heartbleed disclosure timeline: who knew what and when," The Sydney Morning Herald, 15 April 2014. [Online]. Available: http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="22f55220-0579-4917-bf07-a74d4484c4c7"><ac:plain-text-body><![CDATA[

[115]

SerNet, "Badlock Bug," 12 April 2016. [Online]. Available: http://www.badlock.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="da2fddea-20b7-440e-9ab2-e1dc2d8760b9"><ac:plain-text-body><![CDATA[

[116]

N. Perlroth, "Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant," 25 September 2014. [Online]. Available: https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="75f136b3-8866-4773-9510-78cbcaf7bd40"><ac:plain-text-body><![CDATA[

[117]

A. Sarwate, "The GHOST Vulnerability," 27 January 2015. [Online]. Available: https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cecd7cb0-717c-4d13-bf53-fc306de4f281"><ac:plain-text-body><![CDATA[

[118]

A. Watts, C. Huang and L. Chih-chang. Tao: The Watercourse Way, Pantheon, 1975.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f86e8d87-2d20-47f1-aef3-f1b9ebf7c814"><ac:plain-text-body><![CDATA[

[119]

M. Masnick, "For 10 Years Everyone's Been Using 'The Streisand Effect' Without Paying; Now I'm Going To Start Issuing Takedowns," 8 January 2015. [Online]. Available: https://www.techdirt.com/articles/20150107/13292829624/10-years-everyones-been-using-streisand-effect-without-paying-now-im-going-to-start-issuing-takedowns.shtml. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[97]

I. A. Finlay, "Vulnerability Note VU#107186 Multiple vulnerabilities in SNMPv1 trap handling," CERT/CC, 12 February 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/107186. [Accessed 16 May 2017].

[98]

B. Stock, G. Pellegrino and C. Rossow, "Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification," in 25th USENIX Security Symposium, 2016.

[99]

R. M. Axelrod, The Evolution of Cooperation, Revised ed., Basic books, 2006.

[100]

D. R. Grimes, "On the Viability of Conspiratorial Beliefs," PLOS One, vol. 11, no. 1, p. e0147905, 26 January 2016.

[101]

Black Hat, "Black Hat,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="efefd6c2-5483-4f06-bb0c-978417529895"><ac:plain-text-body><![CDATA[

[120]

R. Devendra, "Key Elements of the Sprint Retrospective," 24 April 2014. [Online]. Available: https://www.scrumalliance.org/community/articles/2014/april/key-elements-of-sprint-retrospective. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a1d17855-2cf7-4cb6-a6b4-95079bcd3502"><ac:plain-text-body><![CDATA[

[121]

blackhat.com/. [Accessed 23 May 2017].

[102]

DEF CON, "DEF CONCERT/CC, "Sending Sensitive Information," [Online]. Available: https://www.certdefcon.org/contact/sensitive-information. cfm. [Accessed 24 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e7da7297-b8f1-4552-ae87-fefbc33d1f00"><ac:plain-text-body><![CDATA[

[103]

USENIX, "USENIX Security Conferences

[122]

Symantec, "Symantec Desktop Email Encryption," [Online]. Available: https://www.symantecusenix.comorg/productsconferences/information-protection/encryption/desktop-email-encryptionbyname/108. [Accessed 24 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[104]

RSA, "RSA Conference," [Online]. Available: https://www.rsaconference.com/. [Accessed 23 May 2017].

[105]

CanSecWest, "CanSecWest Vancouver 2018

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="52d2457c-7729-4f07-ae87-fb918496783c"><ac:plain-text-body><![CDATA[

[123]

The GnuPG Project, "GNU Privacy Guard," [Online]. Available: https://gnupgcansecwest.orgcom/. [Accessed 24 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5bebbb6d-18d7-4acb-b0d9-9f361a386eeb"><ac:plain-text-body><![CDATA[

[106]

Federal Trade Commission, "ASUSTeK Computer Inc., In the Matter of," 28 July 2016

[124]

B. Ramsdell and S. Turner, "RFC 5751 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification," January 2010. [Online]. Available: https://toolswww.ietf.org/html/rfc5751ftc.gov/enforcement/cases-proceedings/142-3156/asustek-computer-inc-matter. [Accessed 24 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a7207319-c91e-4fa3-9274-7a788280d372"><ac:plain-text-body><![CDATA[

[107]

Federal Trade Commission, "HTC America Inc., In the Matter of," 2 July 2013.

[125]

Internet Security Research Group (ISRG), "Let's Encrypt," [Online]. Available: https://letsencrypt.org/www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae6758c9-6e09-4872-8b0d-61156e3880a1"><ac:plain-text-body><![CDATA[

[108]

Federal Trade Commission, "Fandango, LLC," 19 August 2014.

[126]

The Enigmail Project, "Enigmail," [Online]. Available: https://www.enigmailftc.net/index.php/en/gov/enforcement/cases-proceedings/132-3089/fandango-llc. [Accessed 24 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="73a34c49-c1f4-4e59-8f4a-7417bad2d07a"><ac:plain-text-body><![CDATA[

[109]

A. Askar, "Minecraft Vulnerability Advisory," 16 April 2015.

[127]

Gpg4win Initiative, "GNU Privacy Guard for Windows," [Online]. Available: httpshttp://wwwblog.gpg4win.orgammaraskar.com/minecraft-vulnerability-advisory/. [Accessed 24 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8743e151-0754-48e1-a630-51de88dc25dc"><ac:plain-text-body><![CDATA[

[128]

"KGpg," [Online]. Available: https://utils.kde.org/projects/kgpg/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[110]

A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," in Workshop on Economics and Information Security, 2005.

[111]

M. Finifter, D. Akhawe and D. Wagner, "An Empirical Study of Vulnerability Rewards Programs," in 22nd USENIX Security Symposium, 2013.

[112]

L. Ablon and T. Bogart, "Zero Days, Thousands of Nights," RAND Corporation, 2017.

[113]

T. Herr and B. Schneier, "Taking Stock: Estimating Vulnerability Rediscovery," 7 March 2017

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d9077b68-be5d-43d0-a2e0-b66c74403237"><ac:plain-text-body><![CDATA[

[129]

G. Wassermann, "Reach Out and Mail Someone," 6 August 2015. [Online]. Available: https:///insights.sei.cmu.edu/cert/2015/08/reach-out-and-mail-someone.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98215303-bd8a-4b72-afcd-60656d181604"><ac:plain-text-body><![CDATA[

ssrn.com/abstract=2928758. [Accessed 16 May 2017].

[114]

B. Grubb, "Heartbleed disclosure timeline: who knew what and when," The Sydney Morning Herald, 15 April 2014. [Online]. Available: http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html. [Accessed 23 May 2017].

[115]

SerNet, "Badlock Bug," 12 April 2016.

[130]

"White Source Software," [Online]. Available: httpshttp://www.whitesourcesoftwarebadlock.comorg/. [Accessed 24 23 May 2017].]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00293e7f-8eaf-4e7c-9198-1e8eb7f81052"><ac:plain-text-body><![CDATA[

[131]

[116]

N. Perlroth, "Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant," 25 September 2014. "Black Duck Software," [Online]. Available: https://www.blackducksoftware.com. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24c230d7-3699-43f0-8a06-d8a104525aff"><ac:plain-text-body><![CDATA[

[132]

nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html. [Accessed 23 May 2017].

[117]

A. Sarwate, "The GHOST Vulnerability," 27 January 2015. "Sonatype," [Online]. Available: https://wwwblog.sonatype.com/qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability. [Accessed 24 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="75e6ae39-3232-4357-baae-ddf65a503ec1"><ac:plain-text-body><![CDATA[

[133]

[118]

A. Watts, C. Huang and L. Chih-chang. Tao: The Watercourse Way, Pantheon, 1975.

[119]

M. Masnick, "For 10 Years Everyone's Been Using 'The Streisand Effect' Without Paying; Now I'm Going To Start Issuing Takedowns," 8 January 2015. "Synopsis," [Online]. Available: https://www.synopsystechdirt.com/. [Accessed 24 May 2017].articles/20150107/13292829624/10-years-everyones-been-using-streisand-effect-without-paying-now-im-going-to-start-issuing-takedowns.shtml. [Accessed 23 May 2017].

[120]

R. Devendra, "Key Elements of the Sprint Retrospective," 24 April 2014.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9942dd47-9f98-4fa5-b82b-f896d066c54b"><ac:plain-text-body><![CDATA[

[134]

"Flexera Software," [Online]. Available: https://www.flexerasoftware.com/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7478378d-e1e1-4d5a-a7e0-bbae9a06a5d7"><ac:plain-text-body><![CDATA[

scrumalliance.org/community/articles/2014/april/key-elements-of-sprint-retrospective. [Accessed 23 May 2017].

[121]

CERT/CC, "Sending Sensitive Information

[135]

TagVault.org, "SWID Tags," [Online]. Available: httphttps://tagvaultwww.cert.org/contact/swid-tags/sensitive-information.cfm. [Accessed 16 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="816e4183-2874-422f-bdbd-9bc9b201ae21"><ac:plain-text-body><![CDATA[

[122]

Symantec, "Symantec Desktop Email Encryption

[136]

National Institute of Standards and Technology, "Common Platform Enumeration (CPE)," [Online]. Available: https://scapwww.nistsymantec.gov/specifications/cpe/ [Accessed 16 com/products/information-protection/encryption/desktop-email-encryption. [Accessed 24 May 2017].

[123]

The GnuPG Project, "GNU Privacy Guard

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="476737e4-80e7-48ac-9157-e0ff00663a3a"><ac:plain-text-body><![CDATA[

[137]

SPDX Workgroup, "Software Package Data Exchange," [Online]. Available: https://spdxgnupg.org/. [Accessed 16 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cf46cb28-65c8-4323-9fd1-131062dc193a"><ac:plain-text-body><![CDATA[

[138]

[124]

B. Ramsdell and S. Turner, "RFC 5751 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification," January 2010. [Online]. Available: https://tools.ietf.org/html/rfc5751. [Accessed 24 May 2017].

[125]

Internet Security Research Group (ISRG), "Let's EncryptCERT, "Dranzer," [Online]. Available: https://vuls.certletsencrypt.org/confluence/display/tools/Dranzer. [Accessed 24 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00c54796-5c23-430b-a09d-7e84d029755e"><ac:plain-text-body><![CDATA[

[126]

The Enigmail Project, "Enigmail

[139]

CERT, "BFF - Basic Fuzzing Framework," [Online]. Available: https://vulswww.certenigmail.orgnet/confluence/display/tools/CERT+BFF+-+Basic+Fuzzing+Frameworkindex.php/en/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[127]

Gpg4win Initiative, "GNU Privacy Guard for Windows

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="45da641c-f699-4a3d-bd94-8c6d6fcd6775"><ac:plain-text-body><![CDATA[

[140]

FIRST, "TRAFFIC LIGHT PROTOCOL (TLP) FIRST Standards Definitions and Usage Guidance — Version 1.0," [Online]. Available: https://www.firstgpg4win.org/tlp. [Accessed 16 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fc4c7380-1fb7-447d-891f-519706675a40"><ac:plain-text-body><![CDATA[

[128]

"KGpg,"

[141]

B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012. [Online]. Available: https://wwwutils.rsaconference.com/events/us12/agenda/sessions/683/building-a-security-operations-center-sockde.org/projects/kgpg/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

[129]

G. Wassermann, "Reach Out and Mail Someone," 6 August 2015

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="be733a17-431c-4f25-9f1e-e65cdd654914"><ac:plain-text-body><![CDATA[

[142]

S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: httphttps://wwwinsights.sei.csoonlinecmu.comedu/articlecert/21499002015/infosec-careers08/avoidingreach-burnoutout-tenand-tips-for-hackers-working-incident-responsemail-someone.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c0f35220-b634-43d7-98e6-e0b681edded6"><ac:plain-text-body><![CDATA[

[143]

S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="20150fac-2ea2-43c8-9073-514e92ecf10c"><ac:plain-text-body><![CDATA[

[144]

A. Householder, "Vulnerability IDs, Fast and Slow," 11 March 2016. [Online]. Available: https://insights.sei.cmu.edu/cert/2016/03/vulnerability-ids-fast-and-slow.html. [Accessed 7 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

[130]

"White Source Software," [Online]. Available: https://www.whitesourcesoftware.com/. [Accessed 24 May 2017].

[131]

"Black Duck Software," [Online]. Available: https://www.blackducksoftware.com. [Accessed 24 May 2017].

[132]

"Sonatype," [Online]. Available: https://www.sonatype.com/. [Accessed 24 May 2017].

[133]

"Synopsis," [Online]. Available: https://www.synopsys.com/. [Accessed 24 May 2017].

[134]

"Flexera Software," [Online]. Available: https://www.flexerasoftware.com/. [Accessed 24 May 2017].

[135]

TagVault.org, "SWID Tags," [Online]. Available: http://tagvault.org/swid-tags/. [Accessed 16 May 2017].

[136]

National Institute of Standards and Technology, "Common Platform Enumeration (CPE)," [Online]. Available: https://scap.nist.gov/specifications/cpe/ [Accessed 16 May 2017].

[137]

SPDX Workgroup, "Software Package Data Exchange,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4e6045bc-d028-4fe6-879a-b092539c014e"><ac:plain-text-body><![CDATA[

[145]

N. Mercer, "Further simplifying servicing models for Windows 7 and Windows 8.1," 15 August 2016. [Online]. Available: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/spdx.org/ . [Accessed 16 May 2017].

[138]

CERT, "Dranzer," [Online]. Available: https://vuls.cert.org/confluence/display/tools/Dranzer. [Accessed 24 May 2017].

[139]

CERT, "BFF - Basic Fuzzing Framework," [Online]. Available: https://vuls.cert.org/confluence/display/tools/CERT+BFF+-+Basic+Fuzzing+Framework. [Accessed 24 May 2017].

[140]

FIRST, "TRAFFIC LIGHT PROTOCOL (TLP) FIRST Standards Definitions and Usage Guidance — Version 1.0

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c5bd5358-1e22-4a8f-9146-66ac0794c5e3"><ac:plain-text-body><![CDATA[

[146]

FIRST, "Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)," [Online]. Available: https://www.first.org/global/sigs/vrdxtlp. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f4b6baab-9c7e-4c65-b612-d57a5388dd4b"><ac:plain-text-body><![CDATA[

].

[141]

B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012

[147]

D. Klinedinst, "Coordinating Vulnerabilities in IoT Devices," 27 January 2016. [Online]. Available: https://insightswww.seirsaconference.cmu.educom/certevents/2016us12/01/coordinating-vulnerabilities-in-iot-devices.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0bab3092-9778-4ef0-b512-5d403c7de435"><ac:plain-text-body><![CDATA[

[148]

S. Christey Coley and B. Martin, "Buying Into the Bias: Why Vulnerability Statistics Suck," in BlackHat, 2013.

]]></ac:plain-text-body></ac:structured-macro>

agenda/sessions/683/building-a-security-operations-center-soc. [Accessed 24 May 2017].

[142]

S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: http://www.csoonline.com/article/2149900/infosec-careers/avoiding-burnout-ten-tips-for-hackers-working-incident-response.html. [Accessed 24 May 2017].

[143]

S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.

[144]

A. Householder, "Vulnerability IDs, Fast and Slow," 11 March 2016

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9033b201-2627-4c64-8ef3-53e4dff7156d"><ac:plain-text-body><![CDATA[

[149]

MITRE, "CVE Abstraction Content Decisions: Rationale and Application," 15 June 2005. [Online]. Available: https://cveinsights.sei.mitrecmu.orgedu/cert/cve2016/editorial_policies/cd_abstraction03/vulnerability-ids-fast-and-slow.html. [Accessed 24 May 7 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6a507f38-ffa4-4933-929d-8a62f7888c8e"><ac:plain-text-body><![CDATA[

[150]

[145]

N. Mercer, "Further simplifying servicing models for Windows 7 and Windows 8.1," 15 August 2016. National Institute of Standards and Technology, "National Vulnerability Database," [Online]. Available: https://nvdblogs.technet.nist.gov/. [Accessed 16 May 2017].microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/. [Accessed 24 May 2017].

[146]

FIRST, "Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="faf6cc10-9d7c-48ee-b01f-8eed3ce51273"><ac:plain-text-body><![CDATA[

[151]

CNNVD, "China National Vulnerability Database of Information Security," [Online]. Available: httphttps://www.cnnvdfirst.org.cn//global/sigs/vrdx. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4a45620a-a9be-4c2f-aa04-f5eb53dce3e6"><ac:plain-text-body><![CDATA[

[147]

D. Klinedinst, "Coordinating Vulnerabilities in IoT Devices," 27 January 2016.

[152]

CNVD, "China National Vulnerability Database," [Online]. Available: httphttps://wwwinsights.cnvdsei.org.cn/. cmu.edu/cert/2016/01/coordinating-vulnerabilities-in-iot-devices.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="68c3af53-ec1f-4f17-89ca-dbe6ecc491e5"><ac:plain-text-body><![CDATA[

[153]

D. Kahneman, Thinking, Fast and Slow, Macmillan, 2011.

]]></ac:plain-text-body></ac:structured-macro>

].

[148]

S. Christey Coley and B. Martin, "Buying Into the Bias: Why Vulnerability Statistics Suck," in BlackHat, 2013.

[149]

MITRE, "CVE Abstraction Content Decisions: Rationale and Application," 15 June 2005

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aa9370b7-823b-49d3-9459-a3c27ea74e22"><ac:plain-text-body><![CDATA[

[154]

V. Driessen, "A successful Git branching model," 5 January 2010. [Online]. Available: httphttps://nviecve.mitre.comorg/posts/a-successful-git-branching-model/. [Accessed 16 cve/editorial_policies/cd_abstraction.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bb3168f3-4f0b-444e-9ca6-61a37916d170"><ac:plain-text-body><![CDATA[

[150]

National Institute of Standards and Technology, "National Vulnerability Database,"

[155]

H. Booth and K. Scarfone, "Vulnerability Data Model draft-booth-sacm-vuln-model-02," 25 April 2013. [Online]. Available: https://toolsnvd.ietfnist.org/html/draft-booth-sacm-vuln-model-02gov/. [Accessed 16 May 21072017].

]]></ac:plain-text-body></ac:structured-macro>

[151]

CNNVD, "China National Vulnerability Database of Information Security," [Online]. Available: http://www.cnnvd.org.cn/. [Accessed 16 May 2017].

[152]

CNVD, "China National Vulnerability Database,"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b15ff2db-1cf9-4122-8665-4c1bd507bae4"><ac:plain-text-body><![CDATA[

[156]

A. Householder, "Vulnerability Discovery for Emerging Networked Systems," 20 November 2014. [Online]. Available: httpshttp://insights.sei.cmu.edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.htmlwww.cnvd.org.cn/. [Accessed 16 May 2017].

[153]

D. Kahneman, Thinking, Fast and Slow, Macmillan, 2011.

[154]

V. Driessen, "A successful Git branching model," 5 January 2010. [Online]. Available: http://nvie.com/posts/a-successful-git-branching-model/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b162e6d7-7e2a-4688-b4ac-a72f788e2cae"><ac:plain-text-body><![CDATA[

[157]

[155]

H. Booth and K. Scarfone, "Vulnerability Data Model draft-booth-sacm-vuln-model-02," 25 April 2013. [Online]. Available: https://tools.ietf.org/html/draft-booth-sacm-vuln-model-02. [Accessed 16 May 2107].

[156]

A. Householder, "Vulnerability Discovery for Emerging Networked Systems," 20 November D. Geer, "Security of Things," 14 May 2014. [Online]. Available: httphttps://geerinsights.sei.tinhocmu.net/geer.secot.7v14.txt. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e04b4cac-fba5-45b5-8be7-d4fcfc17ea77"><ac:plain-text-body><![CDATA[

[158]

S. Arbesman, Overcomplicated: Technology at the Limits of Comprehension, Current, 2016.

]]></ac:plain-text-body></ac:structured-macro>

edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.html. [Accessed 16 May 2017].

[157]

D. Geer, "Security of Things," 14 May 2014. [Online]. Available: http://geer.tinho.net/geer.secot.7v14.txt. [Accessed 16 May 2017].

[158]

S. Arbesman, Overcomplicated: Technology at the Limits of Comprehension, Current, 2016.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="85907a26-0845-4c97-8e7d-051c2a4952cd"><ac:plain-text-body><![CDATA[

[159]

A. Householder, "What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?" 6 January 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/01/-whats-different-about-vulnerability-analysis-and-discovery-in-emerging-networked-systems.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ba02824-5b43-4a7b-ad40-84fd95dc8453"><ac:plain-text-body><![CDATA[-analysis-and-discovery-in-emerging-networked-systems.html. [Accessed 16 May 2017].

[160]

JPCERT/CC and IPA, "Japan Vulnerability Notes," [Online]. Available: https://jvn.jp/en/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aa92eb47-a504-4b9a-96f1-f1beda073c86"><ac:plain-text-body><![CDATA[. Available: https://jvn.jp/en/. [Accessed 16 May 2017].

[161]

O. H. Alhazmi, Y. K. Malaiya and I. Ray, "Measuring, analyzing and predicting security vulnerabilities in software systems," Computers & Security, vol. 26, no. 3, pp. 219-228, 2007.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7b61c64a-695d-45c1-843b-88f93d5bd25b"><ac:plain-text-body><![CDATA[[162]

Wikipedia, "Wicked problem," [Online]. Available: https://en.wikipedia.org/wiki/Wicked_problem. [Accessed 5 June 2017].]]></ac:plain-text-body></ac:structured-macro>