Call for Papers
Digital Threats: Research and Practice
Special Issue on Vulnerabilities
Digital Threats: Research and Practice (DTRAP) is a peer-reviewed journal that targets the prevention, identification, mitigation, and elimination of digital threats. DTRAP aims to bridge the gap between academic research and industry practice.
Vulnerabilities are a fundamental aspect of the field of Digital Threats. How we discover, manage, and reduce the impact of vulnerabilities is as important as the vulnerabilities themselves. The goal of the special issue of DTRAP on Vulnerabilities is to consider these issues and open a dialogue between the researchers in the field and the practitioners who grapple with these problems on a day to day basis.
Areas of Interest
We solicit papers on all areas related to vulnerabilities research and in particular:
Coordinated Vulnerability Disclosure (CVD)
Area Editor: Jeroen van der Ham, NCSC/UTwente
- Vulnerability disclosure policy can be seen as a wicked problem that gives rise to many questions, such as timing and ethics, what are useful metrics, how do you balance fairness of different parties in multi-party disclosure.
Organizational, National, and International policy and trust issues surrounding vulnerabilities
Area Editors: Victoria Wang, University of Portsmouth; Jeroen van der Ham, NCSC/UTwente
- Vulnerabilities are a challenge for policymakers as they don’t seem to fit the current policy thinking. Vulnerability disclosure policy can contribute to security, but trading in vulnerabilities can create security challenges. Organizational data release and its related issues of trust, privacy and security are the subject of this area and how policies relate to current practice or how future policy making initiatives change the practical landscape.
Vulnerability Exploitation and Mitigation in the Wild
Area Editors: Fabio Massacci, UTrento/VU Amsterdam; Victoria Wang, University of Portsmouth
- Many vulnerabilities are found but few are exploited. We seek to understand which vulnerabilities have been actually exploited and how to capture the characteristics that make a vulnerability actually exploitable to provide a scientific, evidence-based guide to industry. Similarly, we seek various social technical security threats and management measures in organizations.
Software Supply Chain Vulnerability Exploitation
Area Editors: Antonino Sabetta, SAP; Ivan Pashchenko, UTrento
- Many large security incidents occurred due to vulnerabilities introduced by a third-party software component. We seek to understand the ways on how to identify and mitigate vulnerabilities in third-party software components to provide a scientific way to improve the security of industrial usage of third-party software components.
Mining Open Source Code Repositories for Vulnerability Data
Area Editor: Antonino Sabetta, SAP
- In principle, all the essential information about vulnerabilities affecting open-source software, as well as their fixes, is readily available in the source code repositories where such software is developed. In practice, the link between security advisories (e.g., from the NVD) and the corresponding flaws (and fixes) at the source code level is difficult to determine. Still, reconstructing such links between the two is key to performing an accurate assessment of the impact of a given vulnerability.
Vulnerability Management through Attack-Surface Reduction
Area Editor: Nick Nikiforakis, Stony Brook University
- Attack-surface reduction (also known as debloating) refers to the late-stage customization of software where each deployment of a given piece of software removes the functionality that is not necessary for the users of that deployment. As unnecessary features are removed from a given deployment, so are the potentially unknown vulnerabilities that reside in these features. We seek to understand practical methods of performing attack-surface reduction, how debloating methods can be incorporated in existing production environments, and new metrics for quantifying the security benefits of attack-surface reduction (e.g., going beyond LOC reduction).
We solicit three types of contribution:
- Research Paper on original research contribution in the area (maximum of 25 pages)
- Experience Paper (With the Benefit of Hindsight) reporting extensive lessons learned on the field (same as research paper)
- Field Notes on short industry case reports (around 1000-1500 words)
Authors are requested to provide a list of potential reviewers for their paper, which the editors may use at their discretion. Additionally, submitting authors may be asked by the editors to review other submitted papers, if appropriate.
Initial submission: Nov 30, 2020
First review: Mar 1, 2021
Revised manuscripts: May 1, 2021
Second review: Aug 1, 2021
Publication: Late 2021 (tentative)
For questions or further information, please write to: DTRAP_VUL@acm.org