A4 Article in conference proceedings
Exploring the Clustering of Software Vulnerability Disclosure Notifications Across Software Vendors

List of Authors: Jukka Ruohonen, Johannes Holvitie, Sami Hyrynsalmi, Ville Leppänen
Place: New York
Publication year: 2017
Book title *: Proceedings of 13th ACS/IEEE International Conference on Computer Systems and Applications AICCSA 2016
ISBN: 978-1-5090-4321-7
eISBN: 978-1-5090-4320-0
ISSN: 2161-5322


This exploratory empirical paper investigates annual
time delays between vulnerability disclosure notifications
and acknowledgments by means of network analysis. These
delays are approached through a potential clustering effect of
vulnerabilities across software vendors. The analysis is based
on a projection from bipartite vendor-vulnerability structures
to one-mode vendor-vendor networks, while the hypothesized
clustering effect is approached with a conventional community
detection algorithm. According to the results, (a) vulnerabilities
cluster across vendors, (b) which also explains a portion of the
time delays, although (c) the clustering is not stable annually.
The computed network (d) clusters can be also interpreted by
reflecting these against common software security attack surfaces.
The ressults can be used to contemplate (e) practical means with
which the efficiency of vulnerability disclosure could be improved.

Downloadable publication

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.

Last updated on 2019-29-01 at 19:58