Special Issue on Vulnerabilities

Call for Papers

Digital Threats: Research and Practice

Special Issue on Vulnerabilities

Digital Threats: Research and Practice (DTRAP) is a peer-reviewed journal that targets the prevention, identification, mitigation, and elimination of digital threats. DTRAP aims to bridge the gap between academic research and industry practice.

Vulnerabilities are a fundamental aspect of the field of Digital Threats. How we discover, manage, and reduce the impact of vulnerabilities is as important as the vulnerabilities themselves. The goal of the special issue of DTRAP on Vulnerabilities is to consider these issues and open a dialogue between the researchers in the field and the practitioners who grapple with these problems on a day to day basis.

Areas of Interest

We solicit papers on all areas related to vulnerabilities research and in particular:

Coordinated Vulnerability Disclosure (CVD) 

Area Editor: Jeroen van der Ham, NCSC/UTwente

  • Vulnerability disclosure policy can be seen as a wicked problem that gives rise to many questions, such as timing and ethics, what are useful metrics, how do you balance fairness of different parties in multi-party disclosure.

Organizational, National, and International policy and trust issues surrounding vulnerabilities 

Area Editors: Victoria Wang, University of Portsmouth; Jeroen van der Ham, NCSC/UTwente

  • Vulnerabilities are a challenge for policymakers as they don’t seem to fit the current policy thinking. Vulnerability disclosure policy can contribute to security, but trading in vulnerabilities can create security challenges. Organizational data release and its related issues of trust, privacy and security are the subject of this area and how policies relate to current practice or how future policy making initiatives change the practical landscape.

Vulnerability Exploitation and Mitigation in the Wild  

Area Editors: Fabio Massacci, UTrento/VU Amsterdam; Victoria Wang, University of Portsmouth

  • Many vulnerabilities are found but few are exploited. We seek to understand which vulnerabilities have been actually exploited and how to capture the characteristics that make a vulnerability actually exploitable to provide a scientific, evidence-based guide to industry. Similarly, we seek various social technical security threats and management measures in organizations.

Software Supply Chain Vulnerability Exploitation

Area Editors: Antonino Sabetta, SAP; Ivan Pashchenko, UTrento

  • Many large security incidents occurred due to vulnerabilities introduced by a third-party software component. We seek to understand the ways on how to identify and mitigate vulnerabilities in third-party software components to provide a scientific way to improve the security of industrial usage of third-party software components.

Mining Open Source Code Repositories for Vulnerability Data

Area Editor: Antonino Sabetta, SAP

  • In principle, all the essential information about vulnerabilities affecting open-source software, as well as their fixes, is readily available in the source code repositories where such software is developed. In practice, the link between security advisories (e.g., from the NVD) and the corresponding flaws (and fixes) at the source code level is difficult to determine. Still, reconstructing such links between the two is key to performing an accurate assessment of the impact of a given vulnerability.

Vulnerability Management through Attack-Surface Reduction

Area Editor: Nick Nikiforakis, Stony Brook University

  • Attack-surface reduction (also known as debloating) refers to the late-stage customization of software where each deployment of a given piece of software removes the functionality that is not necessary for the users of that deployment. As unnecessary features are removed from a given deployment, so are the potentially unknown vulnerabilities that reside in these features. We seek to understand practical methods of performing attack-surface reduction, how debloating methods can be incorporated in existing production environments, and new metrics for quantifying the security benefits of attack-surface reduction (e.g., going beyond LOC reduction).

Submission Information

We solicit three types of contribution:

  • Research Paper on original research contribution in the area (maximum of 25 pages)
  • Experience Paper (With the Benefit of Hindsight) reporting extensive lessons learned on the field (same as research paper)
  • Field Notes on short industry case reports (around 1000-1500 words)

Submit to this special issue at mc.manuscriptcentral.com/dtrap and select the paper type “Special Issue on Vulnerabilities”.  DTRAP author guidelines are available at dtrap.acm.org/authors.cfm.

Authors are requested to provide a list of potential reviewers for their paper, which the editors may use at their discretion. Additionally, submitting authors may be asked by the editors to review other submitted papers, if appropriate.

DTRAP_VUL@acm.org

Initial submission:         Nov 30, 2020 

First review:                  Mar 1, 2021

Revised manuscripts:    May 1, 2021

Second review:             Aug 1, 2021

Publication:                  Late 2021 (tentative)

For questions or further information, please write to: DTRAP_VUL@acm.org

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *