Tampere University of Technology

TUTCRIS Research Portal

A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

Research output: Contribution to journalArticleScientificpeer-review

Standard

A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities. / Ruohonen, Jukka; Hyrynsalmi, Sami; Leppänen, Ville.

In: Computers in Human Behavior, Vol. 103, 02.2020, p. 161-173.

Research output: Contribution to journalArticleScientificpeer-review

Harvard

Ruohonen, J, Hyrynsalmi, S & Leppänen, V 2020, 'A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities', Computers in Human Behavior, vol. 103, pp. 161-173. https://doi.org/10.1016/j.chb.2019.09.028

APA

Vancouver

Author

Ruohonen, Jukka ; Hyrynsalmi, Sami ; Leppänen, Ville. / A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities. In: Computers in Human Behavior. 2020 ; Vol. 103. pp. 161-173.

Bibtex - Download

@article{34db7dd6875648dfa14c36f2777e34a9,
title = "A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities",
abstract = "Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.",
author = "Jukka Ruohonen and Sami Hyrynsalmi and Ville Lepp{\"a}nen",
year = "2020",
month = "2",
doi = "10.1016/j.chb.2019.09.028",
language = "English",
volume = "103",
pages = "161--173",
journal = "Computers in Human Behavior",
issn = "0747-5632",
publisher = "Elsevier",

}

RIS (suitable for import to EndNote) - Download

TY - JOUR

T1 - A Mixed Methods Probe into the Direct Disclosure of Software Vulnerabilities

AU - Ruohonen, Jukka

AU - Hyrynsalmi, Sami

AU - Leppänen, Ville

PY - 2020/2

Y1 - 2020/2

N2 - Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

AB - Software vulnerabilities are security-related software bugs. Direct disclosure refers to a practice that is widely used for communicating the confidential information about vulnerabilities between two parties, vulnerability discoverers and software producers. Building on software vulnerability life cycle analysis, this empirical paper observes the qualitative and quantitative characteristics of direct disclosure practices, focusing particularly on the historical problem related to producers’ reluctance to participate in the practices. According to the results, the problem was still present in the 2000s and early 2010s—and likely is still present today. By presenting this empirical result about the under researched phenomenon of direct disclosure of software vulnerabilities, the paper contributes to the research domain of vulnerability life cycle modeling in general and the subdomain of empirical vulnerability disclosure research in particular.

U2 - 10.1016/j.chb.2019.09.028

DO - 10.1016/j.chb.2019.09.028

M3 - Article

VL - 103

SP - 161

EP - 173

JO - Computers in Human Behavior

JF - Computers in Human Behavior

SN - 0747-5632

ER -