Appendix A - On the Internet of Things and Vulnerability Analysis


This appendix is adapted from two CERT/CC Blog Posts \[159\] \[156\].
*IoT Vulnerability Discovery*

In 2014 CERT performed a study of vulnerability discovery techniques for IoT systems. As we reviewed the literature, we found a number of techniques in common use. Here they are, ranked in approximately descending order of popularity in the research we surveyed:
  1. Reading documentation: This includes product data sheets, protocol specifications, Internet Drafts and RFCs, manufacturer documentation and specs, patents, hardware documentation, support sites, bug trackers, discussion forums, FCC filings, developer documentation, and related information.
  2. Reverse engineering: In most cases, this consists of reverse engineering (RE) binary firmware or other software to understand its function. However, there are instances in which merely understanding a proprietary file format is sufficient to direct further analyses. Hardware RE appears in some research, but has not been as prevalent as RE of software or file formats. As security researchers develop more hardware knowledge and skills (or as individuals with those skills become security researchers) we expect the prevalence of hardware RE to increase in the security literature.
  3. Protocol analysis: Understanding the communication protocols used by a system is vital to identifying remotely exploitable vulnerabilities. This technique can take the form of simply sniffing traffic to find mistrusted input or channels, or reverse engineering a proprietary protocol enough to build a fuzzer for it. Decoding both the syntax and semantics can be important. In wireless systems, this technique can also take the form of using a software defined radio (SDR) to perform signal analysis, which for this purpose is essentially protocol analysis at a lower level of the stack.
  4. Modeling and simulation: Threat modeling from the attacker perspective was mentioned in a handful of papers, as was modeling and simulation of either the system or its protocols for further analysis using mathematical techniques such as game or graph theory.
  5. Fuzzing: Generating randomized input is a common way to test how a system deals with arbitrary input. Fuzzing of network protocols is a common method cited in a number of reports.
  6. Input or traffic generation and spoofing: Unlike fuzzing, spoofing usually consists of constructing otherwise valid input to a system to cause it to exhibit unexpected behavior. Constructing bogus input from a valid or trusted source also falls into this category.
  7. Scanning: Because most IoT are composed of multiple components, each of which may have its own architecture and code base, it is often the case that a researcher can find known vulnerabilities in systems simply by using available vulnerability scanning tools such as Nessus or Metasploit.
  8. Hardware hacking: This technique involves interfacing directly with the electronics at the circuit level. It is a form of physical-level reverse engineering and can include mapping circuits and connecting with JTAG to dump memory state or firmware.
  9. Debugging: This technique uses software-based or hardware-based debuggers. JTAG is a common hardware debugging interface mentioned in many reports.
  10. Writing code: This technique involves developing custom tools to assist with extracting, characterizing, and analyzing data to identify vulnerabilities.
  11. Application of specialized knowledge and skills: In some cases, just knowing how a system works and approaching it with a security mindset is sufficient to find vulnerabilities. Examples include RFID and ModBus.

Many of the techniques listed above are common to vulnerability discovery in the traditional computing and mobile world. However, the low-hanging fruit appears to hang much lower in the IoT than in traditional computing. From a security perspective, even mobile systems have a head start, although they are not as far along as traditional computing platforms. The fact is that many of the vulnerabilities found thus far in IoT would be considered trivial—and rightly so—in the more mature market of servers and desktop computing. Yet the relative scale of the IoT market makes even trivial vulnerabilities potentially risky in aggregate.
IoT Vulnerability Analysis
In our review of recent security research that focused on vulnerability discovery in the Internet of Things, we identified several key differences between IoT and traditional computing and mobile platforms, including

  1. Limited instrumentation: The vulnerability analyst's ability to instrument the system in order to test its security can be limited. Many of the systems comprise embedded devices that are effectively black boxes at the network level. On the surface, this limitation might appear to be beneficial to the security of the system; if it's hard to create an analysis environment, it might be difficult to find vulnerabilities in the system. However, the problem is that while a determined and/or well-resourced attacker can overcome such obstacles and get on with finding vulnerabilities, a lack of instrumentation can make it difficult even for the vendor to adequately test the security of its own products.
  2. Less familiar system architectures: IoT architectures are often different from those most often encountered by the typical vulnerability analyst. In short, ARM is neither x86 nor IA64, and some embedded systems are neither. Although this limitation is trivially obvious at a technical level, many vulnerability researchers and analysts will have to overcome this skill gap if they are to remain effective at finding and remediating vulnerabilities in IoT.
  3. Limited user interfaces: User interfaces on the devices themselves are extremely limited—a few LEDs, maybe some switches or buttons, and that's about it. Thus, significant effort can be required just to provide input or get the feedback needed to perform security analysis work.
  4. Proprietary protocols: The network protocols used above the transport layer are often proprietary. Although the spread of HTTP/HTTPS continues in this space as it has in the traditional and mobile spaces, there are many extant protocols that are poorly documented or wholly undocumented. The effort required to identify and understand higher level protocols, given sometimes scant information about them, can be daunting. Techniques and tools for network protocol inference and reverse engineering can be effective tactics. However, if vendors were more open with their protocol specifications, much of the need for that effort would be obviated.
  5. Lack of updatability: Unlike most other devices (laptops, PCs, smartphones, tablets), many IoT are either non-updateable or require significant effort to update. Systems that cannot be updated become less secure over time as new vulnerabilities are found and novel attack techniques emerge. Because vulnerabilities are often discovered long after a system has been delivered, systems that lack facilities for secure updates once deployed present a long-term risk to the networks in which they reside. This design flaw is perhaps the most significant one already found in many IoT, and if not corrected across the board, could lead to years if not decades of increasingly insecure devices acting as reservoirs of infection or as platforms for lateral movement by attackers of all types.
  6. Lack of security tools: Security tools used for prevention, detection, analysis, and remediation in traditional computing systems have evolved and matured significantly over a period of decades. And while in many cases similar concepts apply to IoT, the practitioner will observe a distinct gap in available tools when attempting to secure or even observe such a system in detail. Packet capture and decoding, traffic analysis, reverse engineering and binary analysis, and the like are all transferable as concepts if not directly as tools, yet the tooling is far weaker when you get outside of the realm of Windows and Unix-based (including OSX) operating systems running on x86/IA64 architectures.
  7. *Vulnerability scanning tool and database bias{*}: Vulnerability scanning tools largely look for known vulnerabilities. They, in turn, depend on vulnerability databases for their source material. However, databases of known vulnerabilities—CVE \[14\], the National Vulnerability Database (NVD) \[150\], Japan Vulnerability Notes (JVN) \[160\] and the CERT Vulnerability Notes Database \[15\] to name a few—are heavily biased by their history of tracking vulnerabilities in traditional computing systems (e.g., Windows, Linux, OSX, Unix and variants). Recent conversations with these and other vulnerability database operators indicate that the need to expand coverage into IoT is either a topic of active investigation and discussion or a work already in progress. However, we can expect the existing gap to remain for some time as these capabilities ramp up.
  8. Inadequate threat models: Overly optimistic threat models are de rigueur among IoT. Many IoT are developed with what can only be described as naive threat models that drastically underestimate the hostility of the environments into which the system will be deployed. (Undocumented threat models are still threat models, even if they only exist in the assumptions made by the developer.) Even in cases where the developer of the main system is security-knowledgeable, he or she often is composing systems out of components or libraries that may not have been developed with the same degree of security consideration. This weakness is especially pernicious in power- or bandwidth-constrained systems where the goal of providing lightweight implementations supersedes the need to provide a minimum level of security. We believe this is a false economy that only defers a much larger cost when the system has been deployed, vulnerabilities are discovered, and remediation is difficult.
  9. Third-party library vulnerabilities: We observe pervasive use of third-party libraries with neither recognition of nor adequate planning for how to fix or mitigate the vulnerabilities they inevitably contain. When a developer embeds a library into a system, that system can inherit vulnerabilities subsequently found in the incorporated code. Although this is true in the traditional computing world, it is even more concerning in contexts where many libraries wind up as binary blobs and are simply included in the firmware as such. Lacking the ability to analyze this black box code either in manual source code reviews or using most code analysis tools, vendors may find it difficult to examine the code's security.
  10. Unprepared vendors: Often we find that IoT vendors are not prepared to receive and handle vulnerability reports from outside parties, such as the security researcher community. Many also lack the ability to perform their own vulnerability discovery within their development lifecycle. These difficulties tend to arise from one of two causes:
  11. The vendor is comparatively small or new and has yet to form a product security incident response capability.
  12. The vendor has deep engineering experience in its domain but has not fully incorporated the effect of network-enabling its devices into its engineering quality assurance (this is related to the inadequate threat model point above).

Typically, vendors in the latter group may have very strong skills in safety engineering or regulatory compliance, yet their internet security capability is lacking. Our experience is that many IoT vendors are surprised by the vulnerability disclosure process. We frequently find ourselves having conversations that rehash two decades of vulnerability coordination and disclosure debates with vendors who appear to experience something similar to the Kübler-Ross stages of grief The Kübler-Ross stages of grief are denial, anger, bargaining, depression, and acceptance. See http://www.ekrfoundation.org/ during the process.

  1. Unresolved vulnerability disclosure debates: If we have learned anything in decades of CVD at the CERT/CC, it is that there is no single right answer to most vulnerability disclosure questions. However, in the traditional computing arena, most vendors and researchers have settled into a reasonable rhythm of allowing the vendor some time to fix vulnerabilities prior to publishing a vulnerability report more widely. Software as a service (SAAS) and software distributed through app stores can often fix and deploy patches to most customers quickly. On the opposite end of the spectrum, we find many IoT and embedded device vendors for whom fixing a vulnerability might require a firmware upgrade or even physical replacement of affected devices. This diversity of requirements forces vendors and researchers alike to reconsider their expectations with respect to the timing and level of detail provided in vulnerability reports based on the systems affected. Coupled with the proliferation of IoT vendors who are relative novices at internet-enabled devices and just becoming exposed to the world of vulnerability research and disclosure, the shift toward IoT can be expected to reinvigorate numerous disclosure debates as the various stakeholders work out their newfound positions.
*IoT Parting Thoughts*
Although vulnerability analysis for IoT has much in common with security research in traditional computing and mobile environments, there are a number of important distinctions outlined in this appendix. The threats posed by these systems given their current proliferation trajectory are concerning.
Even as they become more common, it can be difficult to identify the threats posed to a network by IoT either alone or in aggregate. In the simplest sense one might think of it as a "hidden Linux" problem: How many devices can you find in your immediate vicinity containing some form of Linux? Do you know what their patch status is? Do you know how you'd deal with a critical vulnerability affecting them? Furthermore, while the hidden Linux problem isn't going away any time soon, we believe the third-party library problem will long outlast it. How many vulnerable image parsers with a network-accessible attack vector share your home with you? How would you patch them?
Dan Geer \[157\] puts it thus:
_\[A\]n advanced persistent threat, one that is difficult to discover, difficult to remove, and difficult to attribute, is easier in a low-end monoculture, easier in an environment where much of the computing is done by devices that are deaf and mute once installed or where those devices operate at the very bottom of the software stack, where those devices bring no relevant societal risk by their onesies and twosies, but do bring relevant societal risk at today's extant scales much less the scales coming soon._
We agree.
\\
\\
<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="1312ef42-f571-41dd-9823-0b0de1f25e30"><ac:parameter ac:name="">_Toc489873276</ac:parameter></ac:structured-macro>{*}Appendix B - Traffic Light Protocol*
This appendix is reproduced from [https://www.first.org/tlp|https://www.first.org/tlp] \[140\].
*FIRST Standards Definitions and Usage Guidance — Version 1.0*
*1. Introduction*
  1. The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). TLP only has four colors; any designations not listed in this standard are not considered valid by FIRST.
  2. TLP provides a simple and intuitive schema for indicating when and how sensitive information can be shared, facilitating more frequent and effective collaboration. TLP is not a "control marking" or classification scheme. TLP was not designed to handle licensing terms, handling and encryption rules, and restrictions on action or instrumentation of information. TLP labels and their definitions are not intended to have any effect on freedom of information or "sunshine" laws in any jurisdiction.
  3. TLP is optimized for ease of adoption, human readability and person-to-person sharing; it may be used in automated sharing exchanges, but is not optimized for that use.
  4. TLP is distinct from the Chatham House Rule (when a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed), but may be used in conjunction if it is deemed appropriate by participants in an information exchange.
  5. The source is responsible for ensuring that recipients of TLP information understand and can follow TLP sharing guidance.
  6. If a recipient needs to share the information more widely than indicated by the original TLP designation, they must obtain explicit permission from the original source.

2. Usage

  1. How to use TLP in email: TLP-designated email correspondence should indicate the TLP color of the information in the Subject line and in the body of the email, prior to the designated information itself. The TLP color must be in capital letters: TLP:RED, TLP:AMBER, TLP:GREEN, or TLP:WHITE.
  2. How to use TLP in documents: TLP-designated documents should indicate the TLP color of the information in the header and footer of each page. To avoid confusion with existing control marking schemes, it is advisable to right-justify TLP designations. The TLP color should appear in capital letters and in 12-point type or greater.

RGB:
 TLP:RED : R=255, G=0, B=51, background: R=0, G=0, B=0
 TLP:AMBER : R=255, G=192, B=0, background: R=0, G=0, B=0
 TLP:GREEN : R=51, G=255, B=0, background: R=0, G=0, B=0
 TLP:WHITE : R=255, G=255, B=255, background: R=0, G=0, B=0
CMYK: TLP:RED : C=0, M=100, Y=79, K=0, background: C=0, M=0, Y=0, K=100
 TLP:AMBER : C=0, M=25, Y=100, K=0, background: C=0, M=0, Y=0, K=100
 TLP:GREEN : C=79, M=0, Y=100, K=0, background: C=0, M=0, Y=0, K=100
 TLP:WHITE : C=0, M=0, Y=0, K=0, background: C=0, M=0, Y=0, K=100
3. TLP definitions

  1. TLP:RED = Not for disclosure, restricted to participants only.

Sources may use TLP:RED when information cannot be effectively acted upon by additional parties and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

  1. TLP:AMBER = Limited disclosure, restricted to participants' organizations.

Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing; these must be adhered to.

  1. TLP:GREEN = Limited disclosure, restricted to the community.

Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

  1. TLP:WHITE = Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
*Notes:*
1. This document uses "should" and "must" as defined by RFC-2119. 
2. Comments or suggestions on this document can be sent to [tlp-sig@first.org|\\\\ad\\dfs\\users\\cdixon\\Documents\\tlp-sig@first.org].
<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="602621af-813e-4732-910f-aa1f187538a4"><ac:parameter ac:name="">_Toc489873277</ac:parameter></ac:structured-macro>{*}Appendix C - Sample Vulnerability Report Form*
This is a vulnerability report, typically sent from a reporter to a vendor. These reports may also be shared among other third parties, by the reporter, the vendor, or a coordinator.
This is a report example based on the CERT/CC's Vulnerability Reporting Form \[79\], and is not meant to be exhaustive of all possibilities. Please modify the sections and format as necessary to better suit your needs.
*Vulnerability Report*
The information below should be handled as (choose one): 
<span style="color: #ff0033">TLP:RED</span> / <span style="color: #ffc000">TLP:AMBER</span> / <span style="color: #33ff00">TLP:GREEN</span> / <span style="color: #ffffff">TLP: WHITE</span>
*Vulnerability*

Disclosure Plans

Reporter

Additional Information

<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="474fae8b-b9bb-4b93-8430-3c72007cf8d9"><ac:parameter ac:name="">_Toc489873278</ac:parameter></ac:structured-macro>{*}Appendix D - Sample Vulnerability Disclosure Document*
The vulnerability disclosure document is also often referred to as a "security advisory," particularly if published by the vendor.
This is an example of a vulnerability disclosure document based on CERT/CC's Vulnerability Notes \[15\] format. It is not meant to be exhaustive of all scenarios. Please modify the sections and format as necessary to better suit your needs.
*Vulnerability Disclosure Document*
*Overview*

Vulnerability ID

Description

Impact

CVSS Score

Resolution

 
Reporter
This vulnerability was reported/discovered by _____________.
Author and/or Contact Info
For more information or questions, please contact:

Disclosure Timeline

(List more dates here as necessary to document your communication attempts.)
References
(List reference URLs here: for example, vendor advisory, other disclosures, and links to advice on mitigating problems.)
Appendix E – Disclosure Policy Templates
NTIA Early Stage Template
The NTIA Early Stage Template focuses on vulnerability disclosure policy development in safety-critical industries, in which the potential for harm directly impacts public safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software or systems. A discussion of issues and template policy is included.
https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_early_stage_template.pdf
Open Source Vulnerability Disclosure Framework
BugCrowd and CipherLaw created the Open Source Vulnerability Disclosure Framework, offered under a Creative Commons Attribution 4.0 International License. The framework "is designed to quickly and smoothly prepare your organization to work with the independent security researcher community while reducing the legal risks to researchers and companies." In addition to a policy template "written with both simplicity and legal completeness in mind," a guidance document is provided for setting up a vulnerability disclosure program.
https://github.com/bugcrowd/disclosure-policy
U.S. GSA Vulnerability Disclosure Policy
The United States General Services Administration (GSA)'s Technology Transformation Service (TTS) provides its vulnerability disclosure policy as a public domain resource.
https://github.com/18F/vulnerability-disclosure-policy
ENISA Good Practice Guide on Vulnerability Disclosure
The Good Practice Guide on Vulnerability Disclosure from European Union Agency for Network and Information Security (ENISA) includes an annotated vulnerability disclosure policy template as an Annex.
https://www.enisa.europa.eu/publications/vulnerability-disclosure/at_download/fullReport
US Department of Justice Framework for a Vulnerability Disclosure Program for Online Systems
The United States Department of Justice (DoJ) has published a white paper containing guidance aimed at developing vulnerability disclosure programs for online systems and services. This report makes a point to distinguish online systems and services from "third-party vulnerability disclosure and hands-on—rather than remote—examination of software, devices, or hardware" because of potentially distinct legal issues that may arise.
https://www.justice.gov/criminal-ccips/page/file/983996/download
The aforementioned report is one of many related white papers provided by the DoJ's Computer Crime and Intellectual Property section.
https://www.justice.gov/criminal-ccips/ccips-documents-and-reports
Where to Look for More
Numerous organizations have already posted their vulnerability disclosure policies. A wide variety of these policies can be found by searching the web for "vulnerability disclosure policy," or "vulnerability disclosure program," or by browsing third-party vulnerability disclosure (e.g., bug bounty) service providers' hosted programs. 
Bibliography
URLs are valid as of the publication date of this document.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a48ec5b2-b42b-4265-a7ef-aedc2468e34e"><ac:plain-text-body><![CDATA[

[1]

B. Cancilla, "Return of the Browser Wars," August 2004. [Online]. Available: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Return-of-the-Browser-Wars/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9015613a-e544-426b-b2b6-eca78b13787f"><ac:plain-text-body><![CDATA[

[2]

A. Manion, "Vulnerability Note VU#713878 Microsoft Internet Explorer does not properly validate source of redirected frame," CERT/CC, 9 June 2004. [Online]. Available: https://www.kb.cert.org/vuls/id/713878. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1212f574-f6c8-4604-831c-9d12bdad331b"><ac:plain-text-body><![CDATA[

[3]

Oxford Living Dictionaries (English), "process," [Online]. Available: https://en.oxforddictionaries.com/definition/process. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d7efe439-cbed-4b30-bcee-0c89cedd3e2e"><ac:plain-text-body><![CDATA[

[4]

Kissel, Richard (Editor), "NISTIR 7298 Revision 2 Glossary of Key Information Security Terms," U.S. Department of Commerce, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1011985a-103f-4887-9061-71519010ba9a"><ac:plain-text-body><![CDATA[

[5]

R. Caralli, J. H. Allen and D. W. White, CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience, Addison-Wesley Professional, 2010.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c52cc57a-93ab-4e17-9ab4-c607d33566ca"><ac:plain-text-body><![CDATA[

[6]

A. Shostack, Threat modeling: Designing for Security, John Wiley & Sons, 2014.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f3f4ec01-e50c-4295-9148-2ccd27708ff8"><ac:plain-text-body><![CDATA[

[7]

F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, 2004.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bd93e852-98f0-427b-9340-de358d1ed072"><ac:plain-text-body><![CDATA[

[8]

R. C. Seacord, The CERT C Secure Coding Standard, Pearson Education, 2008.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7192bc4a-2942-4975-a2e4-b4ef11cffda3"><ac:plain-text-body><![CDATA[

[9]

F. Long, D. Mohindra, R. C. Seacord and D. a. S. D. Sutherland, The CERT Oracle Secure Coding Standard for Java, Addison-Wesley Professional, 2011.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9367fa6f-99d5-48cf-baac-b97f819bcef0"><ac:plain-text-body><![CDATA[

[10]

G. McGraw, Software Security: Building Security In, Addison-Wesley Professional, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="956d1579-3a33-4c3e-ae20-31e02962e954"><ac:plain-text-body><![CDATA[

[11]

G. Peterson, P. Hope and S. Lavenhar, "Architectural Risk Analysis," 2 July 2013. [Online]. Available: https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dc4607b9-2d81-49d5-a4cb-2cc0bff2be43"><ac:plain-text-body><![CDATA[

[12]

J. Ryoo, R. Kazman and P. Anand, "Architectural Analysis for Security," IEEE Security & Privacy, vol. 13, no. 6, pp. 52-59, 2015.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ce83ac4d-238c-4996-b783-2fb807a98b28"><ac:plain-text-body><![CDATA[

[13]

A. Householder, "Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit," CERT, 7 July 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/07/like-nailing-jelly-to-the-wall-difficulties-in-defining-zero-day-exploit.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5311c035-0fc1-455d-b9ad-5ea69c83a3c7"><ac:plain-text-body><![CDATA[

[14]

MITRE, "Common Vulnerabilities and Exposures," [Online]. Available: https://cve.mitre.org/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b1ed7482-0547-4558-a4c2-6992b4eed782"><ac:plain-text-body><![CDATA[

[15]

CERT/CC, "Vulnerability Notes Database," [Online]. Available: https://www.kb.cert.org/vuls. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="deb3e317-e6ed-4e6e-95e0-be2a331e6853"><ac:plain-text-body><![CDATA[

[16]

SecurityFocus, "Vulnerabilities," [Online]. Available: http://www.securityfocus.com/bid. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="15241d04-b4a0-42b3-8058-872627e90c88"><ac:plain-text-body><![CDATA[

[17]

ISO/IEC, "ISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure," 2014.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a0f4e943-fa80-4447-8ce9-b5e363a209a5"><ac:plain-text-body><![CDATA[

[18]

S. Christey and C. Wysopal, "Responsible Vulnerability Disclosure Process draft-christey-wysopal-vuln-disclosure-00.txt," February 2002. [Online]. Available: https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="518c2f93-96f3-49cd-b172-051d37de6064"><ac:plain-text-body><![CDATA[

[19]

MSRC Ecosystem Strategy Team, "Coordinated Vulnerability Disclosure: Bringing Balance to the Force," 22 July 2010. [Online]. Available: https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="61dbdb77-c17b-4e82-a686-043ea1c3e538"><ac:plain-text-body><![CDATA[

[20]

Microsoft Security Response Center, "Coordinated Vulnerability Disclosure," Microsoft, [Online]. Available: https://technet.microsoft.com/en-us/security/dn467923.aspx. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a9022d2b-9256-40ae-b7aa-62be6a460dc0"><ac:plain-text-body><![CDATA[

[21]

M. Souppaya and K. Scarfone, "NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies," U.S. Department of Commerce, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="da27c942-2855-402a-aab0-ce44192f4623"><ac:plain-text-body><![CDATA[

[22]

A. Arora, A. Nandkumar and R. Telang, "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, vol. 8, no. 5, pp. 350-362, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="736b9d22-abc8-443a-a062-3a18b6fd1e14"><ac:plain-text-body><![CDATA[

[23]

FIRST, "Forum for Incident Response and Security Teams," [Online]. Available: https://www.first.org/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="caf48fe8-cfb1-4781-9532-eb9be35f3c4a"><ac:plain-text-body><![CDATA[

[24]

FIRST, "Vulnerability Coordination SIG," [Online]. Available: https://www.first.org/global/sigs/vulnerability-coordination. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2277350c-c426-44a9-af17-538271d898f3"><ac:plain-text-body><![CDATA[

[25]

National Telecommunications and Information Administration, "Multistakeholder Process: Cybersecurity Vulnerabilities," 15 December 2016. [Online]. Available: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bf23123b-f4e0-4324-acc0-50f292441d71"><ac:plain-text-body><![CDATA[

[26]

Harm Reduction Coalition, "Principles of Harm Reduction," [Online]. Available: http://harmreduction.org/about-us/principles-of-harm-reduction/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6a7f5c6-359e-4ca5-a727-7366870ed18f"><ac:plain-text-body><![CDATA[

[27]

Harm Reduction Coalition, "What is harm reduction?" [Online]. Available: https://www.hri.global/what-is-harm-reduction. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5f33efa6-d84a-48cf-8823-91fc81326e11"><ac:plain-text-body><![CDATA[

[28]

A. Householder, "Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats," August 2015. [Online]. Available: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=442528. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="edc15d31-5600-44d8-b5b1-a36f23089bed"><ac:plain-text-body><![CDATA[

[29]

I Am The Cavalry, "5 Motivations of Security Researchers," [Online]. Available: https://www.iamthecavalry.org/motivations/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a0bee05c-fa23-4e2a-b4cf-f9c394e83225"><ac:plain-text-body><![CDATA[

[30]

NTIA Awareness and Adoption Working Group, "Vulnerability Disclosure Attitudes and Actions: A Research Report from the NTIA Awareness and Adoption Group," 15 December 2016. [Online]. Available: https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf. [Accessed 6 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2c32fbd8-a7a3-4679-ad2d-d1134b506f33"><ac:plain-text-body><![CDATA[

[31]

FIRST, "Ethics SIG," [Online]. Available: https://www.first.org/global/sigs/ethics. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fe9a21b9-6944-44af-a474-2cff99e5b687"><ac:plain-text-body><![CDATA[

[32]

Association for Computing Machinery, "ACM Code of Ethics and Professional Conduct," 16 October 1992. [Online]. Available: https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c5ad7e98-1e3b-4a6e-842f-eb91ba298210"><ac:plain-text-body><![CDATA[

[33]

USENIX, "System Administrators' Code of Ethics," 30 September 2003. [Online]. Available: https://www.usenix.org/system-administrators-code-ethics. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a1148a3-de45-451a-9f45-2393f0dc5fc8"><ac:plain-text-body><![CDATA[

[34]

American Press Institute, "What is the purpose of journalism?" [Online]. Available: https://www.americanpressinstitute.org/journalism-essentials/what-is-journalism/purpose-journalism/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="665bc6ee-f571-4aa9-a913-38df42522f1b"><ac:plain-text-body><![CDATA[

[35]

Society of Professional Journalists, "SPJ Code of Ethics," 6 September 2014. [Online]. Available: https://www.spj.org/ethicscode.asp. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="288d5038-eec2-4690-ac0b-8baa3892df1f"><ac:plain-text-body><![CDATA[

[36]

A. Ozment and S. E. Schechter, "Milk or wine: Does software security improve with age?" in USENIX Security, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6de96c42-5a3b-487e-9967-d506c45ec178"><ac:plain-text-body><![CDATA[

[37]

K. Matsudaira, "Bad Software Architecture Is a People Problem," Communications of the ACM, vol. 59, no. 9, pp. 42-43, September 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6340185-47bb-4904-a2a9-2eb8857af64d"><ac:plain-text-body><![CDATA[

[38]

J. M. Wing, "A Symbiotic Relationship Between Formal Methods and Security," in Proceedings of the Conference on Computer Security, Dependability and Assurance: From Needs to Solutions, 1998.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="107e3df2-d64c-44a7-ae82-3f4664921253"><ac:plain-text-body><![CDATA[

[39]

E. Bobukh, "Equation of a Fuzzing Curve — Part 1/2," 18 December 2014. [Online]. Available: https://blogs.msdn.microsoft.com/eugene_bobukh/2014/12/18/equation-of-a-fuzzing-curve-part-12/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c7742f1c-fe3e-4d6a-bfdb-40c7404bbba5"><ac:plain-text-body><![CDATA[

[40]

E. Bobukh, "Equation of a Fuzzing Curve — Part 2/2," 6 January 2015. [Online]. Available: https://blogs.msdn.microsoft.com/eugene_bobukh/2015/01/06/equation-of-a-fuzzing-curve-part-22/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="67e1a88a-c5b8-4e69-933e-d9b6b3fc91e6"><ac:plain-text-body><![CDATA[

[41]

H. W. Rittel and M. M. Webber, "Dilemmas in a General Theory of Planning," Policy Sciences, vol. 4, no. 1973, pp. 155-169, June 1973.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aea10259-3feb-4f03-a696-18d3edfe53ea"><ac:plain-text-body><![CDATA[

[42]

BBC, "Xbox password flaw exposed by five-year-old boy," 4 April 2014. [Online]. Available: http://www.bbc.com/news/technology-26879185. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7c331e06-19d5-48ec-bd9f-dbb166702983"><ac:plain-text-body><![CDATA[

[43]

Microsoft, "What is the Security Development Lifecycle?" [Online]. Available: https://www.microsoft.com/en-us/sdl/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd68d753-5156-4202-8b17-5ebf092130c6"><ac:plain-text-body><![CDATA[

[44]

BSIMM, "BSIMM Framework," [Online]. Available: https://www.bsimm.com/framework/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c9688eb3-812f-4eb8-936c-00175da5d1e5"><ac:plain-text-body><![CDATA[

[45]

ISO/IEC, "ISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes," 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5ffd9ad3-3360-4d3d-a822-5f616afb801b"><ac:plain-text-body><![CDATA[

[46]

Microsoft, "Microsoft Security Response Center," [Online]. Available: https://technet.microsoft.com/en-us/security/dn440717.aspx. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b4eb2754-551b-4703-8297-d2b2d7d79ab5"><ac:plain-text-body><![CDATA[

[47]

Cisco Systems, "Security Vulnerability Policy," [Online]. Available: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f6f34807-59b6-482b-bf35-bf0d4f70451f"><ac:plain-text-body><![CDATA[

[48]

FIRST, "FIRST Teams," [Online]. Available: https://www.first.org/members/teams. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a473e0c9-0fb3-48d2-b6d0-166f11b29f1f"><ac:plain-text-body><![CDATA[

[49]

CERT Division, "CSIRT Frequently Asked Questions (FAQ)," Software Engineering Institute, [Online]. Available: https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm? [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2fbc8a8a-c282-4400-83f0-d3a5d75fadcf"><ac:plain-text-body><![CDATA[

[50]

CERT Division, "Incident Management: Resources for National CSIRTs," Software Engineering Institute, [Online]. Available: https://www.cert.org/incident-management/national-csirts/index.cfm. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8b26cb51-9ff5-4089-8799-8be270fc6688"><ac:plain-text-body><![CDATA[

[51]

CERT, "List of National CSIRTs," [Online]. Available: https://www.cert.org/incident-management/national-csirts/national-csirts.cfm. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d92ceafc-235f-4981-9b6c-b115c8e66a31"><ac:plain-text-body><![CDATA[

[52]

BugCrowd, "BugCrowd," [Online]. Available: https://bugcrowd.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="84ee1a8e-73ca-4607-bef9-7d9418e8beac"><ac:plain-text-body><![CDATA[

[53]

HackerOne, "HackerOne," [Online]. Available: https://www.hackerone.com. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="027d1a45-0e50-4801-b713-e8024e02ae4d"><ac:plain-text-body><![CDATA[

[54]

SynAck, "SynAck," [Online]. Available: https://www.synack.com. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="800a3632-ef71-4ad1-a082-df0ef04c0309"><ac:plain-text-body><![CDATA[

[55]

Cobalt Labs Inc., "Cobalt," [Online]. Available: https://cobalt.io/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="daaa3c92-db09-4fbf-b9ad-1b84c8bd77cf"><ac:plain-text-body><![CDATA[

[56]

CERT, "Vulnerability Analysis," [Online]. Available: https://www.cert.org/vulnerability-analysis/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6455f29c-eb94-4eea-b4a1-84cb5418c278"><ac:plain-text-body><![CDATA[

[57]

National Cyber Security Centre Netherlands, "NCSC-NL," [Online]. Available: https://www.ncsc.nl/english. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="242adadb-5ee1-4fb8-a765-79ef87bfdf80"><ac:plain-text-body><![CDATA[

[58]

NCSC-FI, "Finnish Communications Regulatory Authority / National Cyber Security Centre Finland," [Online]. Available: https://www.viestintavirasto.fi/en/cybersecurity.html.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="640bb9b3-c42e-48fe-aeb4-cc1a1a30ea9a"><ac:plain-text-body><![CDATA[

[59]

JPCERT/CC, "Japan Computer Emergency Response Team Coordination Center," [Online]. Available: https://www.jpcert.or.jp/english/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="abf82ab2-6169-4a51-b761-633a13a72c9b"><ac:plain-text-body><![CDATA[

[60]

U.S. Department of Homeland Security, "Information Sharing and Analysis Organizations (ISAOs)," [Online]. Available: https://www.dhs.gov/isao. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="67eaee14-b432-4489-bf5b-bbcaa88f1b9b"><ac:plain-text-body><![CDATA[

[61]

National Council of ISACs, "National Council of ISACs," [Online]. Available: https://www.nationalisacs.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ebd0751-af98-439a-8bd8-bffe43e48477"><ac:plain-text-body><![CDATA[

[62]

W. Dormann, "Supporting the Android Ecosystem," 19 October 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/10/supporting-the-android-ecosystem.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="86940a34-83f5-4252-8d81-d7f7cc89b2a7"><ac:plain-text-body><![CDATA[

[63]

U.S. Food & Drug Administration, "Medical Device Reporting (MDR)," [Online]. Available: https://www.fda.gov/medicaldevices/safety/reportaproblem/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9fa4247c-9cbb-4fc6-b1d2-023518e7c32e"><ac:plain-text-body><![CDATA[

[64]

National Highway Traffic Safety Administration, "File a Vehicle Safety Complaint," [Online]. Available: https://www-odi.nhtsa.dot.gov/VehicleComplaint/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e3975784-5c39-444d-bb6f-e72afa08af4b"><ac:plain-text-body><![CDATA[

[65]

Federal Aviation Administration, "Report Safety Issues," [Online]. Available: https://www.faa.gov/aircraft/safety/report/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b0eb20ba-fb65-489c-989c-24fdcf8d6ace"><ac:plain-text-body><![CDATA[

[66]

NASA Office of the Chief Engineer, "NASA Lessons Learned," NASA Lessons Learned Steering Committee (LLSC), [Online]. Available: https://www.nasa.gov/offices/oce/functions/lessons/index.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="607c0c96-ef63-4003-bf0a-4168411489c1"><ac:plain-text-body><![CDATA[

[67]

European Commission, "Dual Use Controls: Commission proposes to modernise and strengthen controls on exports of dual-use items," 28 September 2016. [Online]. Available: http://europa.eu/rapid/press-release_IP-16-3190_en.htm. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ea7522b-11db-430f-9143-7c00e0d20624"><ac:plain-text-body><![CDATA[

[68]

FIRST, "Vulnerability Database Catalog," FIRST VRDX SIG, 17 March 2016. [Online]. Available: https://www.first.org/global/sigs/vrdx/vdb-catalog. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="73412e35-7bea-47d1-bd30-4bdd817a851a"><ac:plain-text-body><![CDATA[

[69]

J. T. Chambers and J. W. Thompson, "National Infrastructure Advisory Council Vulnerability Disclosure Framework Final Report and Recommendations by the Council," 13 January 2004. [Online]. Available: https://www.dhs.gov/xlibrary/assets/vdwgreport.pdf. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6067c751-7fdc-48b8-a70e-420dbfea631d"><ac:plain-text-body><![CDATA[

[70]

J. C. Knight, "Safety critical systems: challenges and directions," in ICSE '02 Proceedings of the 24th International Conference on Software Engineering, Orlando, 2002.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5d947e1d-6149-4bd9-b292-bf1d0fa01dc2"><ac:plain-text-body><![CDATA[

[71]

U.S. Department of Health & Human Services, "Health Information Privacy," [Online]. Available: https://www.hhs.gov/hipaa/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76743252-405d-4cb5-bf73-902b0cac58f1"><ac:plain-text-body><![CDATA[

[72]

U.S. Department of Education, "Family Educational Rights and Privacy Act (FERPA)," [Online]. Available: https://ed.gov/policy/gen/guid/fpco/ferpa/index.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a09f27d2-b46e-4125-a01c-fdde7c3a4a2b"><ac:plain-text-body><![CDATA[

[73]

Federal Trade Commission, "Children's Online Privacy Protection Rule ("COPPA")," [Online]. Available: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae46aa8d-87d7-4d6a-af26-67e8313f8f25"><ac:plain-text-body><![CDATA[

[74]

PCI Security Standards Council, "PCI Security," [Online]. Available: https://www.pcisecuritystandards.org/pci_security/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5b52119e-f2b2-4b56-9ddd-ffd95def23d5"><ac:plain-text-body><![CDATA[

[75]

Electronic Frontier Foundation, "Coders' Rights Project Vulnerability Reporting FAQ," [Online]. Available: https://www.eff.org/issues/coders/vulnerability-reporting-faq. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c07b1397-4747-4f8e-91a2-54bd94f8f813"><ac:plain-text-body><![CDATA[

[76]

K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015. [Online]. Available: https://forum.bugcrowd.com/t/writing-a-bug-report-attack-scenario-and-impact-are-key/640. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="74cc1f51-701a-4cb7-90fc-5cba8e699176"><ac:plain-text-body><![CDATA[

[77]

MITRE, "Common Weakness Enumeration (CWE)," [Online]. Available: https://cwe.mitre.org/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="811e21a2-244c-467f-aed8-e55f9e9390b1"><ac:plain-text-body><![CDATA[

[78]

MITRE, "Common Attack Pattern Enumeration and Classification," [Online]. Available: https://capec.mitre.org/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3ec99577-9a5c-42f5-9a57-bd08e31db394"><ac:plain-text-body><![CDATA[

[79]

CERT/CC, "Vulnerability Reporting Form," [Online]. Available: https://vulcoord.cert.org/VulReport/. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9df61c70-be8b-4898-9762-8a87f2db3a89"><ac:plain-text-body><![CDATA[

[80]

FIRST, "Common Vulnerability Scoring System," [Online]. Available: https://www.first.org/cvss. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c8923947-d022-41e8-944b-2be0df50f319"><ac:plain-text-body><![CDATA[

[81]

MITRE, "Common Weakness Scoring System (CWSS) version 1.0.1," 5 September 2014. [Online]. Available: https://cwe.mitre.org/cwss/cwss_v1.0.1.html. [Accessed 17 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7242de47-26e7-4357-93ed-46a95d233390"><ac:plain-text-body><![CDATA[

[82]

Security Focus, "BugTraq Archive," [Online]. Available: http://www.securityfocus.com/archive/1. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="43330a61-b192-4978-844a-99568c2f241d"><ac:plain-text-body><![CDATA[

[83]

Seclists.org, "Full Disclosure Mailing List," [Online]. Available: http://seclists.org/fulldisclosure/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ea232f3-1749-4b6f-94bb-1322d02f6c9c"><ac:plain-text-body><![CDATA[

[84]

MITRE, "Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules Version 1.1," 16 September 2016. [Online]. Available: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="185e8ed8-fe05-487a-89eb-b6e1c7446808"><ac:plain-text-body><![CDATA[

[85]

J. Postel, "Internet Protocol (RFC 760)," 1980.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d395a9c6-2d5b-48c9-9996-42ef16c3c711"><ac:plain-text-body><![CDATA[

[86]

N. Brownlee and E. Guttman, "Expectations for Computer Security Incident Response," The Internet Society, 1998.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0ac6f449-495f-42ce-a1ef-4d8debf8b9ca"><ac:plain-text-body><![CDATA[

[87]

S. Shepherd, "Vulnerability Disclosure: How Do We Define Responsible Disclosure?" SANS GIAC SEC Practical Repository, 2003.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6960e27-b25b-42f9-8de9-062eacd3b3c3"><ac:plain-text-body><![CDATA[

[88]

FIRST, "Multi-Party Coordination and Disclosure," [Online]. Available: https://www.first.org/global/sigs/vulnerability-coordination/multiparty. [Accessed 6 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5b923564-9ca5-45da-a684-5b15a6dbceb5"><ac:plain-text-body><![CDATA[

[89]

Codenomicon, "The Heartbleed Bug," 29 April 2014. [Online]. Available: http://heartbleed.com/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1307a895-35af-420d-9c7d-e21e97cbab11"><ac:plain-text-body><![CDATA[

[90]

J. P. Lanza, "Vulnerability Note VU#484891 Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service," 26 July 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/484891. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fa8c98f7-eb59-4134-b78e-a6c7aa9ba4c6"><ac:plain-text-body><![CDATA[

[91]

W. Dormann, "Vulnerability Note VU#916896 Oracle Outside In 8.5.2 contains multiple stack buffer overflows," 20 January 2016. [Online]. Available: https://www.kb.cert.org/vuls/id/916896. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8d0678d7-b168-4613-9a90-4be85ead0e5c"><ac:plain-text-body><![CDATA[

[92]

W. Dormann, "Vulnerability Note VU#582497 Multiple Android applications fail to properly validate SSL certificates," CERT/CC, 3 September 2014. [Online]. Available: https://www.kb.cert.org/vuls/id/582497. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3bcafbb-718c-4d5c-a06a-5d83879d206b"><ac:plain-text-body><![CDATA[

[93]

W. Dormann, "Android apps that fail to validate SSL," 29 August 2014. [Online]. Available: https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fdad01a5-40b1-4ab0-a08f-97bb86564337"><ac:plain-text-body><![CDATA[

[94]

University of Oulu, "PROTOS Test-Suite: c06-snmpv1," 2002. [Online]. Available: https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c06-snmpv1. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9c411f93-11f2-419c-8d30-ea6a44a5a208"><ac:plain-text-body><![CDATA[

[95]

I. A. Finlay, S. V. Hernan, J. A. Rafail, C. Dougherty, A. D. Householder, M. Lindner and A. Manion, "Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)," CERT/CC, 12 February 2002. [Online]. Available: https://www.cert.org/historical/advisories/CA-2002-03.cfm. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="43456553-f483-4d50-bc56-c7aa7f7d18b6"><ac:plain-text-body><![CDATA[

[96]

I. A. Finlay, "Vulnerability Note VU#854306 Multiple vulnerabilities in SNMPv1 request handling," CERT/CC, 12 February 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/854306. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="47a6914c-ab2e-494d-8f42-03742d3cbbe0"><ac:plain-text-body><![CDATA[

[97]

I. A. Finlay, "Vulnerability Note VU#107186 Multiple vulnerabilities in SNMPv1 trap handling," CERT/CC, 12 February 2002. [Online]. Available: https://www.kb.cert.org/vuls/id/107186. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5533e0f2-bf5e-4b2f-974f-b82120f54bec"><ac:plain-text-body><![CDATA[

[98]

B. Stock, G. Pellegrino and C. Rossow, "Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification," in 25th USENIX Security Symposium, 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2f46a747-73de-47d7-b2ab-9776789500b2"><ac:plain-text-body><![CDATA[

[99]

R. M. Axelrod, The Evolution of Cooperation, Revised ed., Basic books, 2006.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f01ad78e-8c33-47e3-bfa1-a5403d871c66"><ac:plain-text-body><![CDATA[

[100]

D. R. Grimes, "On the Viability of Conspiratorial Beliefs," PLOS One, vol. 11, no. 1, p. e0147905, 26 January 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ec163f1b-6b57-4355-bb28-b555e411dac0"><ac:plain-text-body><![CDATA[

[101]

Black Hat, "Black Hat," [Online]. Available: https://www.blackhat.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0ceb4a75-7f7d-456f-8ec2-8236f22ba9c6"><ac:plain-text-body><![CDATA[

[102]

DEF CON, "DEF CON," [Online]. Available: https://www.defcon.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6e6ab251-63af-475b-b545-bc4c25944215"><ac:plain-text-body><![CDATA[

[103]

USENIX, "USENIX Security Conferences," [Online]. Available: https://www.usenix.org/conferences/byname/108. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f620712e-ed2c-4eb1-9662-9706b7aa3732"><ac:plain-text-body><![CDATA[

[104]

RSA, "RSA Conference," [Online]. Available: https://www.rsaconference.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="32e59c20-adcf-4b69-b856-9c51d934f3dd"><ac:plain-text-body><![CDATA[

[105]

CanSecWest, "CanSecWest Vancouver 2018," [Online]. Available: https://cansecwest.com/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7341f367-1849-4e31-a060-a28c7e756a6f"><ac:plain-text-body><![CDATA[

[106]

Federal Trade Commission, "ASUSTeK Computer Inc., In the Matter of," 28 July 2016. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/142-3156/asustek-computer-inc-matter. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76391ba8-37af-4c49-8661-adbaa017c316"><ac:plain-text-body><![CDATA[

[107]

Federal Trade Commission, "HTC America Inc., In the Matter of," 2 July 2013. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c51939bd-abf9-4537-bb3f-ddc53606b587"><ac:plain-text-body><![CDATA[

[108]

Federal Trade Commission, "Fandango, LLC," 19 August 2014. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="48ed4cf7-9825-4196-adf3-1c476c77d098"><ac:plain-text-body><![CDATA[

[109]

A. Askar, "Minecraft Vulnerability Advisory," 16 April 2015. [Online]. Available: http://blog.ammaraskar.com/minecraft-vulnerability-advisory/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="100e89b3-84dc-43f7-ae14-0418190c08cf"><ac:plain-text-body><![CDATA[

[110]

A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," in Workshop on Economics and Information Security, 2005.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f6dc72dc-5582-4dc3-b819-ef3a6bae9fbb"><ac:plain-text-body><![CDATA[

[111]

M. Finifter, D. Akhawe and D. Wagner, "An Empirical Study of Vulnerability Rewards Programs," in 22nd USENIX Security Symposium, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fdd319e9-b1d9-430c-932f-b5ebf8619861"><ac:plain-text-body><![CDATA[

[112]

L. Ablon and T. Bogart, "Zero Days, Thousands of Nights," RAND Corporation, 2017.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c64457c7-54f4-4e27-8b8d-d8ed89c6232e"><ac:plain-text-body><![CDATA[

[113]

T. Herr and B. Schneier, "Taking Stock: Estimating Vulnerability Rediscovery," 7 March 2017. [Online]. Available: https://ssrn.com/abstract=2928758. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7bd52316-f357-4fde-a15e-655b50ecc7ec"><ac:plain-text-body><![CDATA[

[114]

B. Grubb, "Heartbleed disclosure timeline: who knew what and when," The Sydney Morning Herald, 15 April 2014. [Online]. Available: http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="22f55220-0579-4917-bf07-a74d4484c4c7"><ac:plain-text-body><![CDATA[

[115]

SerNet, "Badlock Bug," 12 April 2016. [Online]. Available: http://www.badlock.org/. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="da2fddea-20b7-440e-9ab2-e1dc2d8760b9"><ac:plain-text-body><![CDATA[

[116]

N. Perlroth, "Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant," 25 September 2014. [Online]. Available: https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="75f136b3-8866-4773-9510-78cbcaf7bd40"><ac:plain-text-body><![CDATA[

[117]

A. Sarwate, "The GHOST Vulnerability," 27 January 2015. [Online]. Available: https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cecd7cb0-717c-4d13-bf53-fc306de4f281"><ac:plain-text-body><![CDATA[

[118]

A. Watts, C. Huang and L. Chih-chang. Tao: The Watercourse Way, Pantheon, 1975.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f86e8d87-2d20-47f1-aef3-f1b9ebf7c814"><ac:plain-text-body><![CDATA[

[119]

M. Masnick, "For 10 Years Everyone's Been Using 'The Streisand Effect' Without Paying; Now I'm Going To Start Issuing Takedowns," 8 January 2015. [Online]. Available: https://www.techdirt.com/articles/20150107/13292829624/10-years-everyones-been-using-streisand-effect-without-paying-now-im-going-to-start-issuing-takedowns.shtml. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="efefd6c2-5483-4f06-bb0c-978417529895"><ac:plain-text-body><![CDATA[

[120]

R. Devendra, "Key Elements of the Sprint Retrospective," 24 April 2014. [Online]. Available: https://www.scrumalliance.org/community/articles/2014/april/key-elements-of-sprint-retrospective. [Accessed 23 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a1d17855-2cf7-4cb6-a6b4-95079bcd3502"><ac:plain-text-body><![CDATA[

[121]

CERT/CC, "Sending Sensitive Information," [Online]. Available: https://www.cert.org/contact/sensitive-information.cfm. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e7da7297-b8f1-4552-ae87-fefbc33d1f00"><ac:plain-text-body><![CDATA[

[122]

Symantec, "Symantec Desktop Email Encryption," [Online]. Available: https://www.symantec.com/products/information-protection/encryption/desktop-email-encryption. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="52d2457c-7729-4f07-ae87-fb918496783c"><ac:plain-text-body><![CDATA[

[123]

The GnuPG Project, "GNU Privacy Guard," [Online]. Available: https://gnupg.org/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5bebbb6d-18d7-4acb-b0d9-9f361a386eeb"><ac:plain-text-body><![CDATA[

[124]

B. Ramsdell and S. Turner, "RFC 5751 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification," January 2010. [Online]. Available: https://tools.ietf.org/html/rfc5751. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a7207319-c91e-4fa3-9274-7a788280d372"><ac:plain-text-body><![CDATA[

[125]

Internet Security Research Group (ISRG), "Let's Encrypt," [Online]. Available: https://letsencrypt.org/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae6758c9-6e09-4872-8b0d-61156e3880a1"><ac:plain-text-body><![CDATA[

[126]

The Enigmail Project, "Enigmail," [Online]. Available: https://www.enigmail.net/index.php/en/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="73a34c49-c1f4-4e59-8f4a-7417bad2d07a"><ac:plain-text-body><![CDATA[

[127]

Gpg4win Initiative, "GNU Privacy Guard for Windows," [Online]. Available: https://www.gpg4win.org/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8743e151-0754-48e1-a630-51de88dc25dc"><ac:plain-text-body><![CDATA[

[128]

"KGpg," [Online]. Available: https://utils.kde.org/projects/kgpg/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d9077b68-be5d-43d0-a2e0-b66c74403237"><ac:plain-text-body><![CDATA[

[129]

G. Wassermann, "Reach Out and Mail Someone," 6 August 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/08/reach-out-and-mail-someone.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98215303-bd8a-4b72-afcd-60656d181604"><ac:plain-text-body><![CDATA[

[130]

"White Source Software," [Online]. Available: https://www.whitesourcesoftware.com/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00293e7f-8eaf-4e7c-9198-1e8eb7f81052"><ac:plain-text-body><![CDATA[

[131]

"Black Duck Software," [Online]. Available: https://www.blackducksoftware.com. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24c230d7-3699-43f0-8a06-d8a104525aff"><ac:plain-text-body><![CDATA[

[132]

"Sonatype," [Online]. Available: https://www.sonatype.com/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="75e6ae39-3232-4357-baae-ddf65a503ec1"><ac:plain-text-body><![CDATA[

[133]

"Synopsis," [Online]. Available: https://www.synopsys.com/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9942dd47-9f98-4fa5-b82b-f896d066c54b"><ac:plain-text-body><![CDATA[

[134]

"Flexera Software," [Online]. Available: https://www.flexerasoftware.com/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7478378d-e1e1-4d5a-a7e0-bbae9a06a5d7"><ac:plain-text-body><![CDATA[

[135]

TagVault.org, "SWID Tags," [Online]. Available: http://tagvault.org/swid-tags/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="816e4183-2874-422f-bdbd-9bc9b201ae21"><ac:plain-text-body><![CDATA[

[136]

National Institute of Standards and Technology, "Common Platform Enumeration (CPE)," [Online]. Available: https://scap.nist.gov/specifications/cpe/ [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="476737e4-80e7-48ac-9157-e0ff00663a3a"><ac:plain-text-body><![CDATA[

[137]

SPDX Workgroup, "Software Package Data Exchange," [Online]. Available: https://spdx.org/ . [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cf46cb28-65c8-4323-9fd1-131062dc193a"><ac:plain-text-body><![CDATA[

[138]

CERT, "Dranzer," [Online]. Available: https://vuls.cert.org/confluence/display/tools/Dranzer. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00c54796-5c23-430b-a09d-7e84d029755e"><ac:plain-text-body><![CDATA[

[139]

CERT, "BFF - Basic Fuzzing Framework," [Online]. Available: https://vuls.cert.org/confluence/display/tools/CERT+BFF+-+Basic+Fuzzing+Framework. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="45da641c-f699-4a3d-bd94-8c6d6fcd6775"><ac:plain-text-body><![CDATA[

[140]

FIRST, "TRAFFIC LIGHT PROTOCOL (TLP) FIRST Standards Definitions and Usage Guidance — Version 1.0," [Online]. Available: https://www.first.org/tlp. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fc4c7380-1fb7-447d-891f-519706675a40"><ac:plain-text-body><![CDATA[

[141]

B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012. [Online]. Available: https://www.rsaconference.com/events/us12/agenda/sessions/683/building-a-security-operations-center-soc. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="be733a17-431c-4f25-9f1e-e65cdd654914"><ac:plain-text-body><![CDATA[

[142]

S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: http://www.csoonline.com/article/2149900/infosec-careers/avoiding-burnout-ten-tips-for-hackers-working-incident-response.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c0f35220-b634-43d7-98e6-e0b681edded6"><ac:plain-text-body><![CDATA[

[143]

S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="20150fac-2ea2-43c8-9073-514e92ecf10c"><ac:plain-text-body><![CDATA[

[144]

A. Householder, "Vulnerability IDs, Fast and Slow," 11 March 2016. [Online]. Available: https://insights.sei.cmu.edu/cert/2016/03/vulnerability-ids-fast-and-slow.html. [Accessed 7 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4e6045bc-d028-4fe6-879a-b092539c014e"><ac:plain-text-body><![CDATA[

[145]

N. Mercer, "Further simplifying servicing models for Windows 7 and Windows 8.1," 15 August 2016. [Online]. Available: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c5bd5358-1e22-4a8f-9146-66ac0794c5e3"><ac:plain-text-body><![CDATA[

[146]

FIRST, "Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)," [Online]. Available: https://www.first.org/global/sigs/vrdx. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f4b6baab-9c7e-4c65-b612-d57a5388dd4b"><ac:plain-text-body><![CDATA[

[147]

D. Klinedinst, "Coordinating Vulnerabilities in IoT Devices," 27 January 2016. [Online]. Available: https://insights.sei.cmu.edu/cert/2016/01/coordinating-vulnerabilities-in-iot-devices.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0bab3092-9778-4ef0-b512-5d403c7de435"><ac:plain-text-body><![CDATA[

[148]

S. Christey Coley and B. Martin, "Buying Into the Bias: Why Vulnerability Statistics Suck," in BlackHat, 2013.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9033b201-2627-4c64-8ef3-53e4dff7156d"><ac:plain-text-body><![CDATA[

[149]

MITRE, "CVE Abstraction Content Decisions: Rationale and Application," 15 June 2005. [Online]. Available: https://cve.mitre.org/cve/editorial_policies/cd_abstraction.html. [Accessed 24 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6a507f38-ffa4-4933-929d-8a62f7888c8e"><ac:plain-text-body><![CDATA[

[150]

National Institute of Standards and Technology, "National Vulnerability Database," [Online]. Available: https://nvd.nist.gov/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="faf6cc10-9d7c-48ee-b01f-8eed3ce51273"><ac:plain-text-body><![CDATA[

[151]

CNNVD, "China National Vulnerability Database of Information Security," [Online]. Available: http://www.cnnvd.org.cn/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4a45620a-a9be-4c2f-aa04-f5eb53dce3e6"><ac:plain-text-body><![CDATA[

[152]

CNVD, "China National Vulnerability Database," [Online]. Available: http://www.cnvd.org.cn/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="68c3af53-ec1f-4f17-89ca-dbe6ecc491e5"><ac:plain-text-body><![CDATA[

[153]

D. Kahneman, Thinking, Fast and Slow, Macmillan, 2011.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aa9370b7-823b-49d3-9459-a3c27ea74e22"><ac:plain-text-body><![CDATA[

[154]

V. Driessen, "A successful Git branching model," 5 January 2010. [Online]. Available: http://nvie.com/posts/a-successful-git-branching-model/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bb3168f3-4f0b-444e-9ca6-61a37916d170"><ac:plain-text-body><![CDATA[

[155]

H. Booth and K. Scarfone, "Vulnerability Data Model draft-booth-sacm-vuln-model-02," 25 April 2013. [Online]. Available: https://tools.ietf.org/html/draft-booth-sacm-vuln-model-02. [Accessed 16 May 2107].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b15ff2db-1cf9-4122-8665-4c1bd507bae4"><ac:plain-text-body><![CDATA[

[156]

A. Householder, "Vulnerability Discovery for Emerging Networked Systems," 20 November 2014. [Online]. Available: https://insights.sei.cmu.edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b162e6d7-7e2a-4688-b4ac-a72f788e2cae"><ac:plain-text-body><![CDATA[

[157]

D. Geer, "Security of Things," 14 May 2014. [Online]. Available: http://geer.tinho.net/geer.secot.7v14.txt. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e04b4cac-fba5-45b5-8be7-d4fcfc17ea77"><ac:plain-text-body><![CDATA[

[158]

S. Arbesman, Overcomplicated: Technology at the Limits of Comprehension, Current, 2016.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="85907a26-0845-4c97-8e7d-051c2a4952cd"><ac:plain-text-body><![CDATA[

[159]

A. Householder, "What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?" 6 January 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/01/-whats-different-about-vulnerability-analysis-and-discovery-in-emerging-networked-systems.html. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6ba02824-5b43-4a7b-ad40-84fd95dc8453"><ac:plain-text-body><![CDATA[

[160]

JPCERT/CC and IPA, "Japan Vulnerability Notes," [Online]. Available: https://jvn.jp/en/. [Accessed 16 May 2017].

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aa92eb47-a504-4b9a-96f1-f1beda073c86"><ac:plain-text-body><![CDATA[

[161]

O. H. Alhazmi, Y. K. Malaiya and I. Ray, "Measuring, analyzing and predicting security vulnerabilities in software systems," Computers & Security, vol. 26, no. 3, pp. 219-228, 2007.

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7b61c64a-695d-45c1-843b-88f93d5bd25b"><ac:plain-text-body><![CDATA[

[162]

Wikipedia, "Wicked problem," [Online]. Available: https://en.wikipedia.org/wiki/Wicked_problem. [Accessed 5 June 2017].

]]></ac:plain-text-body></ac:structured-macro>

REPORT DOCUMENTATION PAGE





Form ApprovedOMB No. 0704-0188



Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.







1. agency use only
(Leave Blank)


2. report date
August 2017



3. report type and dates covered
Final



4. title and subtitle
The CERT® Guide to Coordinated Vulnerability Disclosure





5. funding numbers
FA8721-05-C-0003



6. author(s)
Allen D. Householder
Garret Wassermann
Art Manion
Chris King







7. performing organization name(s) and address(es)
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213





8. performing organization report number
CMU/SEI-2017-SR-022



9. sponsoring/monitoring agency name(s) and address(es)
AFLCMC/PZE/Hanscom Enterprise Acquisition Division 20 Schilling Circle Building 1305 Hanscom AFB, MA 01731-2116





10. sponsoring/monitoring agency report number
n/a



11. supplementary notes







12adistribution/availability statement
Unclassified/Unlimited, DTIC, NTIS





12b distribution code



13.abstract (maximum 200 words)
Security vulnerabilities remain a problem for vendors and deployers of software-based systems alike. Vendors play a key role by providing fixes for vulnerabilities, but they have no monopoly on the ability to discover vulnerabilities in their products and services. Knowledge of those vulnerabilities can increase adversarial advantage if deployers are left without recourse to remediate the risks they pose. Coordinated Vulnerability Disclosure (CVD) is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public. The CERT Coordination Center has been coordinating the disclosure of software vulnerabilities since its inception in 1988. This document is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability. In it, the reader will find an overview of key principles underlying the CVD process, a survey of CVD stakeholders and their roles, and a description of CVD process phases, as well as advice concerning operational considerations and problems that may arise in the provision of CVD and related services.







s14. subject terms
Coordinated Vulnerability Disclosure, CVD, vulnerability response process, vulnerability report, CERT-CC, CSIRT, PSIRT, software vulnerability, software security





15. number of pages
122



16. price code







17. security classification of report
Unclassified

18.security classification of this page
Unclassified


19. security classification of abstract
Unclassified



20. limitation of abstract
UL

NSN 7540-01-280-5500




Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102