Analysis of Coordinated Vulnerability Disclosure processes in companies
- Type:Masterarbeit
- Date:as soon as possible
- Supervisor:
- Add on:
open
-
Background
Despite the growing importance of vulnerability management within the new EU regulations (esp. NIS2 regulations) and the adoption of Coordinated Vulnerability Disclosure (CVD) practices in many other countries [1], the current status quo of CVD programs of German companies remains largely unexplored. Within a current research collaboration we investigate Coordinated Vulnerability Disclosure (CVD) processes in general, but also specifically within companies. Related work has found that using bug bounty platforms proves useful for companies but also comes with disadvantages [2].
Objectives
The goal of the Master thesis will be to reach out to Chief Information Security Officers (CISO) about (dis-) advantages on the establishment of CVD processes or bug bounty programs in their companies. Further possible questions should involve who reports vulnerabilities, how these reports are processed within the companies, and which resources the companies allocate to such processes. As part of the thesis the students should develop a recruitment strategy and conduct interviews with CISOs.
[1] Y.S. Pil. 2023. The Way Forward for Security Vulnerability Disclosure Policy: Comparative Analysis of US, EU, and Netherlands. In: Lee, R. (eds) Big Data, Cloud Computing, and Data Science Engineering. BCD 2022. Studies in Computational Intelligence, vol 1075. Springer, Cham. https://doi.org/10.1007/978-3-031-19608-9_10
[2] T. Walshe and A.C. Simpson. 2022. Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations. Comput. Secur. 123, C (Dec 2022). https://doi.org/10.1016/j.cose.2022.102936
Important information
Please visit https://secuso.aifb.kit.edu/121.php for our thesis guide and more information on our procedure.