Since the first vulnerability disclosure program (VDP) in 1963, these programs have recently gained more attention throughout the industry, allowing external people to search for and report vulnerabilities. However, current research in this direction primarily conducts surveys with stakeholders or extracts insights into management. With this work, we shift the focus to the technical side of VDPs and investigate the opportunities for ethical and legal vulnerability research using a VDP dataset. We therefore created a dataset of 3462 websites listed within VDPs along with their policies, and compared them against a set of 9423 popular websites from the CrUX list to gain insights into their usability for web security research. Our measurements reveal that websites participating in VDPs demonstrate greater security practices and fewer vulnerabilities. Nearly twice as many CrUX websites include outdated libraries with known vulnerabilities. Further, we found and validated more client-side XSS attacks on CrUX domains (0.49%) than on VDP-listed domains (0.16%), and observed insecure CSP use 5% more often in CrUX. While security appears to be improved within such programs, their policies allow researchers to test areas that are otherwise difficult to assess in large-scale, real-world environments, such as server-side vulnerabilities. Our results highlight how VDPs could enhance research, namely offering valuable insights into web security that can serve as a lower bound estimate for the overall Web. This suggests that VDPs could also provide an indirect entry point to study server-side security postures at scale, a hypothesis we outline for future work.
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
2025-12-22
2025-12-22