A Roadmap for More Effective Web Vulnerability Notification
Building on their initial research on large-scale web vulnerability notification, B. Stock et al. , researchers at CISPA, Saarland University, sought to lay the groundwork for a more effective web vulnerability notification system.
Owing to the development of scanning tools, large-scale detection of web vulnerabilities has generally become more straightforward. In a nutshell, the process involves getting a list of domains and scanning them for security issues. However, such ease in vulnerability discovery is a two-edged sword—both researchers and cyber attackers can take advantage of it, albeit with contrasting purposes.
Addressing the discovered vulnerabilities promptly is crucial, and at the heart of this goal is effective web vulnerability notification. Previous studies ,  established a relatively high association between the receipt of the notifications and the subsequent remediation of reported issues. Still, large-scale web vulnerability notification has a low fix rate.
The Problem: Why Is There a Disconnect?
The roadblock lies in the successful delivery of vulnerability notifications. In one study , only 5.8% of 35,832 vulnerability reports were actually received by concerned parties, leaving thousands of issues unpatched and vulnerable to attackers.
While there are several factors that affect the effectiveness of vulnerability reports to the concerned parties, they can be categorized into two:
- Technical: The bounce rate observed in the study  was attributed to the recipients’ email provider’s spam filtering.
- Nontechnical: The human factor also played a role in failing to address reported security issues. For instance, some parties expressed that among the reasons for ignoring the notifications is the fact that they didn’t trust them.
Aside from identifying the barriers toward more successful notification campaigns, B. Stock et al. also explored alternative communication platforms, such as social media, snail mail, and phone conversations.
The researchers analyzed more than 24,000 domains, which were scanned for the following security issues:
- Cross-site scripting (XSS) vulnerabilities in WordPress
- CVE-2016-4566 and CVE-2016-4567
- Publicly accessible Git repositories
A key step in the research is gathering notification contacts, which involved obtaining domain WHOIS information. To hasten the process, the researchers extracted already parsed contact emails from WhoisXML API’s WHOIS database. Generic email addresses were also selected. Among them are those that contain security@, abuse@, webmaster@, and info@.
Three types of notification messages were sent out—automated plaintext emails, automated HTML-based emails, and a variant with a more friendly and non-technical tone.
Findings: Laying the Groundwork for More Effective Vulnerability Notification
B. Stock et al. effectively laid out the road map for future studies to make vulnerability notification more successful.
Automated Emails Are a Good Option
Automated emails still emerged as the most cost-effective medium. More Git reports were accessed when postal mail and phone calls were used as communication channels, but these were also the most expensive. Friendly communication received the highest number of views but did not result in a high fix rate since the messages didn’t contain the report details.
Correct Point of Contact: WHOIS Technical Email Address
Furthermore, the research highlighted the need for obtaining the correct point of contact for the website. Based on the respondents’ inputs, the WHOIS technical email contact, and the address listed on the website are particularly common.
While WHOIS technical email contact email addresses can easily be extracted from the WhoisXML API WHOIS database, the email content can be subjected to more experiments.
What level of technicality should the report use to inspire action? How should the message be constructed so as to establish trust, both with the recipient and email service provider?
When these questions are answered, web vulnerability notification could become more effective, thus helping organizations reduce their attack surface.
 B. Stock, G. Pellegrino, F. Li, M. Backes, and C. Rossow. Didn't You Hear Me? Towards More Successful Web Vulnerability Notifications. In NDSS Network and Distributed System Security Symposium. San Diego, California. 18–21 February 2018. Retrieved from https://publications.cispa.saarland/1190/1/stock2018notification.pdf.
 F. Li, Z. Durumeric, J. Czyz, M. Karami, D. McCoy, S. Savage, M. Bailey, and V. Paxson. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security Symposium. Austin, Texas. 10–12 August 2016. Retrieved from https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_stock.pdf.
 B. Stock, G. Pellegrino, C. Rossow, M. Johns, and M. Backes. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In USENIX Security Symposium. Austin, Texas. 10–12 August 2016. Retrieved from https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_li.pdf.See other success stories