摘要
欧洲网络与信息安全局于2018年12月发布了《漏洞披露经济学》报告,在漏洞披露行为主体、流程类型、市场、性质等相关概念的基础上,将经济学概念和特征应用到信息安全领域,并进一步详细分析了漏洞披露流程中,个人、组织、结构和规范等不同层面对漏洞披露行为的激励作用,继而提出漏洞披露生态环境建设。中国在漏洞披露领域的法律保障、制度建设以及具体实践都存在可改进空间,该报告对中国建立出更合乎国情的漏洞披露机制具有借鉴意义。
European Union Agency for Network and Information Security has released Economics of Vulnerability Disclosure in December,2018.The report provides an overview of vulnerability disclosure, elaborating the concepts of actors, types, markets, and nature of vulnerability disclosure.An introduction to information security economics has also been given to illustrate the application of economics in the field of information security. Incentives and behaviour in vulnerability disclosure have been discussed in the individual, organizational, structural and normative level, for the establishment of vulnerability discovery ecosystems. China has room for improvement in the legal systems, rules and regulation, and regular practice of vulnerability disclosure. This report is of reference for China to design a more relevant vulnerability disclosure mechanism in line with its national situation.
引文
[1]Ablon,Lillian and Andy Bogart.‘Zero Days Thousands of Nights:The Life and Times o Zero-Day Vulnerabilities and Their Exploits.’Santa Monica,Calif.:RAND Corporation,RR-1751-RC,2017.(2018-10-25).https://www rand.org/pubs/research_reports/RR1751.html.
[2]Miller,Charlie.‘The legitimate vulnerability market:Inside the secretive world of 0-day exploit sales.’In Sixth Workshop on the Economics o Information Security.Citeseer,2007.
[3]Arora,Ashish,Rahul Telang&Hao Xu.‘Optima policy for software vulnerability disclosure.’2008.Management Science 54(4):642-56.
[4]Bailey,Russell,&Barbara Tierney.‘Information commons redux:concept,evolution,andtranscending the tragedy of the commons.’The Journal o Academic Librarianship2002 28(5):277-86.
[5]Anderson,Ross,&Tyler Moore.‘The economics of information security.’Science 2006314(5799)610_3.
[6]Anderson,Ross.‘Why information security is hard-an economic perspective.’In Computer securityapplications conference,2001.Acsac proceedings 17th annual,pp.358_365.IEEE,2001.
[7]Cavusoglu,Hasan,HuseyinCavusoglu&Srinivasan Raghunathan‘Emerging Issues in ResponsibleVulnerability Disclosure.’WEIS,2005.
[8]Dullien,Thomas.‘Security,Moore’s law and the anomaly of cheap complexity.CYCON.’(2018-10-31).https://www.err.ee/836236/video-google-0-projekti-tarkvarainseneri-ettekanne-cyconil.
[9]Van Eeten,Michel J,&Johannes M Bauer.‘Economics of malware:Security decisions,incentives andexternalities.’OECD Science,Technology and Industry Working Papers 2008(1):0_1.
[10]ackerOne.2017.‘The Hacker-powered Security Report 2017.’(2018-10-31)https://www.hackerone.com/sites/default/files/2017-06/The%20HackerPowered%20Security%20Report.pdf.
[11]Laszka,Aron,Mingyi Zhao&Jens Grossklags‘Banishing misaligned incentives for validating reportsin bug-bounty platforms.’European Symposium on Research in Computer Security Springer,2016.