Skip to main content
Conference ProceedingsOPEN ACCESS

Talking Trojan: Analyzing an Industry-Wide Disclosure

SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022 (2022) 83-92
DOI: 10.1145/3560835.3564555
2Citations
Citations of this article
7Readers
Mendeley users who have this article in their library.
Get full text

Abstract

While vulnerability research often focuses on technical findings and post-public release industrial response, we provide an analysis of the rest of the story: the coordinated disclosure process from discovery through public release. The industry-wide 'Trojan Source' vulnerability which affected most compilers, interpreters, code editors, and code repositories provided an interesting natural experiment, enabling us to compare responses by firms versus nonprofits and by firms that managed their own response versus firms that outsourced it. We document the interaction with bug bounty programs, government disclosure assistance, academic peer review, and press coverage, among other topics. We compare the response to an attack on source code with the response to a comparable attack on NLP systems employing machine-learning techniques. We conclude with recommendations to improve the global coordinated disclosure system.

Author supplied keywords

Cite

CITATION STYLE

APA

Boucher, N., & Anderson, R. (2022). Talking Trojan: Analyzing an Industry-Wide Disclosure. In SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022 (pp. 83–92). Association for Computing Machinery, Inc. https://doi.org/10.1145/3560835.3564555

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free