Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure

Ablon, L., & Bogart, A. (2017). Zero days, thousands of nights: The life and times of zero-day vulnerabilities and their exploits. Santa Monica, California: Rand Corporation.

Allodi, L. (2017). Economic factors of vulnerability trade and exploitation. Paper presented at the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, Texas, USA.

Android Security Rewards Program Rules. Retrieved May 30, 2018, from https://www.google.com/about/appsecurity/android-rewards/ .

Chan, D., & Wang, D. (2015). Profiling cybercrime perpetrators in China and its policy countermeasures. In R. G. Smith, R. C.-C. Cheung, & L. Y.-C. Lau (Eds.), Cybercrime risks and responses: Eastern and western perspectives (pp. 206–221). London: Palgrave Macmillan UK.

Department of Justice (2017). A framework for a vulnerability disclosure program for online systems. US Department of Justice. CCIPS Division. Retrieved from https://www.justice.gov/criminal-ccips/page/file/983996/download .

Finifter, M., Akhawe, D., & Wagner, D. (2013). An empirical study of vulnerability rewards programs. Paper presented at the 22nd USENIX Security Symposium, Washington, D.C., USA.

Fung, B. (2013). The NSA hacks other countries by buying millions of dollars’ worth of computer vulnerabilities. The Washington Post. Retrieved Aug 31, 2013, from https://www.washingtonpost.com/news/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/?utm_term=.2fe86803e816 .

Grabosky, P. N. (2017). The evolution of cybercrime, 2006–2016. In T. J. Holt (Ed.), Cybercrime through an interdisciplinary lens (pp. 15–36). New York: Routledge.

Hackerone (2017). The hacker-powered security report 2017. HackerOne’s benchmark study on the hacker-powered security ecosystem. Retrieved from https://www.hackerone.com/sites/default/files/2017-06/The%20Hacker-Powered%20Security%20Report.pdf .

Healey, J. (2016). The U.S. government and zero-day vulnerabilities; from pre-heartbleed to shadow brokers. Journal of International Affairs, 1–22. Retrieved from https://jia.sipa.columbia.edu/sites/default/files/attachments/Healey%20VEP.pdf .

Herr, T., Schneier, B., & Morris, C. (2017). Taking stock: Estimating vulnerability rediscovery. Belfer Cyber Security Project White Paper Series. Retrieved from https://ssrn.com/abstract=2928758 .

Holt, T. J. (2007). Subcultural evolution? Examining the influence of on- and off-line experiences on deviant subcultures. Deviant Behavior, 28(2), 171–198.

Holt, T. J., & Bossler, A. M. (2016). Cybercrime in progress: Theory and prevention of technology-enabled offenses. London: Routledge.

Holt, T.J., & Kilger, M. (2012). Know your enemy: The social dynamics of hacking. The Honeynet Project. Retrieved from https://honeynet.org/papers/socialdynamics .

Huang, C., Liu, J., Fang, Y., & Zuo, Z. (2016). A study on web security incidents in China by analyzing vulnerability disclosure platforms. Computers & Security, 58(2016), 47–62.

ISO/IEC (2014). International Standard: Information technology—Security techniques—Vulnerability disclosure (29147:2014(E)). International Organization for Standardization & International Electrotechnical Commission. Retrieved from https://www.iso.org/standard/45170.html .

Jordan, T., & Taylor, P. A. (1998). A sociology of hackers. The Sociological Review, 46(4), 757–780.

Kshetri, N. (2009). Positive externality, increasing returns, and the rise in cybercrimes. Communications of the ACM, 52(12), 141–144.

Maimon, D., Alper, M., Sobesto, B., & Cukier, M. (2014). Restrictive deterrent effects of a warning banner in an attacked computer system. Criminology, 52(1), 33–59.

Microsoft Bounty Programs. Retrieved May 30, 2018, from https://technet.microsoft.com/en-us/library/dn425036.aspx .

Nakashima, E., & Timberg, C. (2017). NSA officials worried about the day its potent hacking tool would get loose. Then it did. The Washington Post. Retrieved May 16, 2017, from https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?noredirect=on&utm_term=.f652694f1b42 .

National Cyber Security Centre (NCSC). (2013). Policy for arriving at a practice for responsible disclosure. Retrieved from https://www.ncsc.nl/binaries/content/documents/ncsc-en/current-topics/news/responsible-disclosure-guideline/1/Responsible%2BDisclosure%2BENG.pdf .

National Cyber Security Centre (NCSC). (2017). Cyber security assessment Netherlands 2017. Retrieved from https://www.ncsc.nl/binaries/content/documents/ncsc-en/current-topics/cyber-security-assessment-netherlands/cyber-security-assessment-netherlands-2017/1/CSAN2017.pdf .

National Telecommunications and Information Administration (NTIA). (2016). Vulnerability disclosure attitudes and actions: A research report. Retrieved from https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf .

Newman L.H. (2017). The ransomware meltdown experts warned about is here. Wired. Retrieved May 12, 2017, from https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/ .

Newman, G. R., & Clarke, R. V. (2003). Superhighway robbery. London: Routledge.

Nycyk, M. (2010). Computer hackers in virtual community forums: Identity shaping and dominating other hackers. Paper presented at the Online Conference on Networks and Communities: Debating Communities and Networks.

Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E., & Madensen, T. D. (2006). The empirical status of deterrence theory: A meta-analysis. In F. T. Cullen, J. P. Wright, & K. R. Blevins (Eds.), Taking stock: The status of criminological theory (pp. 367–396). New Brunswick/London: Transaction Publishers.

Provos, N., Rajab, M. A., & Mavrommatis, P. (2009). Cybercrime 2.0: When the cloud turns dark. Communications of the ACM, 52(4), 42–47.

Public Prosecution Service (2013). Policy letter: Responsible disclosure (how to act in cases of ‘ethical’ hackers? Retrieved from https://www.om.nl/publish/pages/22742/policy_letter_responsible_disclosure.pdf .

Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective? Mis Quarterly, 36(1), 43–64.

Smith, R. G. (2015). Trajectories of cybercrime. In R. G. Smith, R. C.-C. Cheung, & L. Y.-C. Lau (Eds.), Cybercrime risks and responses: Eastern and western perspectives (pp. 13–34). London: Palgrave Macmillan UK.

Steinmetz, K. F. (2016). Hacked: A Radical Approach to Hacker Culture and Crime. New York: NYU Press.

Taylor, P. A. (1999). Hackers: Crime in the digital sublime. London: Routledge.

Testa, A., Maimon, D., Sobesto, B., & Cukier, M. (2017). Illegal roaming and file manipulation on target computers. Criminology & Public Policy, 16(3), 689–726.

Titcomb, J. (2017). Microsoft slams US government over global cyber attack. The Telegraph. Retrieved May 15, 2017, from https://www.telegraph.co.uk/technology/2017/05/15/microsoft-slams-us-government-global-cyber-attack/ .

Van Schaik, P., Jeske, D., Onibokun, J., Coventry, L., Jansen, J., & Kusev, P. (2017). Risk perceptions of cyber-security and precautionary behaviour. Computers in Human Behavior, 75(2017), 547–559.

Van’t Hof, C. (2016). Helpful hackers: How the Dutch do responsible disclosure. Rotterdam: Tek Tok Uitgeverij.

Voiskounsky, A. E., & Smyslova, O. V. (2003). Flow-based model of computer hackers’ motivation. CyberPsychology & Behavior, 6(2), 171–180.

Wall, D. S. (2007). Cybercrime: The transformation of crime in the information age. New York: Polity.

Weulen Kranenbarg, M. (2018). Cyber-offenders versus traditional offenders: An empirical comparison (Unpublished doctoral dissertation). Vrije Universiteit Amsterdam, The Netherlands. Retrieved from http://dare.ubvu.vu.nl/handle/1871/55530 .

Weulen Kranenbarg, M., Holt, T. J., & Van Gelder, J.-L. (2017). Offending and victimization in the digital age: Comparing correlates of cybercrime and traditional offending-only, victimization-only and the victimization-offending overlap. Deviant Behavior. https://doi.org/10.1080/01639625.2017.1411030 .

Weulen Kranenbarg, M., Ruiter, S., Van Gelder, J.-L., & Bernasco, W. (2018). Cyber-offending and traditional offending over the life-course: An empirical comparison. Journal of Developmental and Life-Course Criminology, 4(3), 343–364.

White, K. (2013). The rise of cybercrime 1970 through 2010. A tour of the conditions that gave rise to cybercrime and the crimes themselves. Retrieved from https://www.slideshare.net/bluesme/the-rise-of-cybercrime-1970s-2010-29879338 .

Wilson, T., Maimon, D., Sobesto, B., & Cukier, M. (2015). The effect of a surveillance banner in an attacked computer system. Journal of Research in Crime and Delinquency, 52(6), 829–855.

Woo, H.-J. (2003). The hacker mentality: Exploring the relationship between psychological variables and hacking activities. The University of Georgia, Athens, Georgia. Retrieved from https://getd.libs.uga.edu/pdfs/woo_hyung-jin_200305_phd.pdf .

Zhao, M., Grossklags, J., & Liu, P. (2015). An empirical study of web vulnerability discovery ecosystems. Paper presented at the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, Colorado, USA.