Software vulnerabilities - particularly in open-source software (OSS) components, which are now embedded in nearly every application - pose major security and privacy risks. Existing tools and research focus largely on vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) system, leaving those without CVE identifiers often overlooked. In this study, we aim to estimate the number of such CVE-less vulnerabilities in OSS projects by systematically analyzing project issue trackers to identify security-related reports that could qualify as CVEs. We use an AI-human collaborative approach, combining AI-based issue pre-filtering with expert validation to efficiently and accurately estimate the prevalence of these overlooked vulnerabilities.

We closely examined four large C++ projects and found that approximately 1.55% of all reported issues were classified by our model as security-related. Expert validation performed by the CVE Numbering Authority (CNA) Administrator on the gRPC project revealed that about 22% of these predicted security-related issues correspond to real, previously untracked vulnerabilities. This number is nearly five times greater than the total number of CVEs listed for this project in the National Vulnerability Database (NVD). These results reveal a gap in today's vulnerability disclosure ecosystem: many vulnerabilities are publicly disclosed in issue trackers yet never formally communicated through the CVE program, leaving them largely unexplored and potentially unaddressed. ... Read more

As ransomware attacks grow in frequency and complexity, accurate attribution is crucial. Victim organizations often feel compelled to pay ransom, but must first attribute the attack and conduct sanction screening to ensure the threat actor receiving the payment is not a sanctioned entity, avoiding severe legal and financial risks. This cyber threat actor attribution process typically relies on Indicators of Compromise (IoCs) matching known threat profiles. However, the emergence of the Ransomware-as-a-Service (RaaS) ecosystem and rebranding behavior complicate attribution for sanction screening. Our mixed-methods study, combining interviews with 20 experts with an analysis of ransomware incident reports, reveals significant challenges and limitations in the current attribution process. High-level IoCs, widely regarded as more reliable, lack the necessary specificity for accurate attribution, leading to potential risks of misattribution. Practitioners rely on lower-level IoCs, which provide clearer links to threat actors but are highly volatile, further complicating sanction enforcement. These challenges highlight the need for urgent improvements in the attribution and sanction processes. To mitigate these risks, we offer recommendations aimed at enhancing data-sharing practices, improving attributions frameworks, and refining the sanction violation policy to better support sanction screening efforts. While we do not recommend paying ransomware actors, we acknowledge that some organizations may face pressures to do so in certain situations. In such cases, it is vital to ensure legal compliance, particularly regarding sanctioned entities. This work aims to help victims of ransomware shield themselves from transgressing against sanctions. ... Read more

Kwetsbaarheden in software vormen een structureel risico voor de cyberweerbaarheid. Coordinated Vulnerability Disclosure (CVD) en notificatie spelen in de praktijk een cruciale rol, maar zijn in Nederland grotendeels informeel georganiseerd. Met de komst van de NIS2-richtlijn verandert het speelveld: meldloketten worden verplicht, scanmogelijkheden uitgebreid. Deze bijdrage onderzoekt hoe de wetgever en uitvoeringsinstanties kunnen omgaan met CVD en notificatie in het licht van deze richtlijn. ... Read more

Internet-wide scanning services are widely used for attack surface discovery across organizations and the Internet. Enterprises, government agencies, and researchers rely on these tools to assess risks to Internet-facing infrastructure. However, their reliability and trustworthiness remain largely unexamined. This paper addresses this gap by comparing results from three commercial scanners – Shodan, ONYPHE, and LeakIX – with findings from our independent experiments using verified Nuclei templates, designed to identify specific vulnerabilities through crafted benign requests. We found that the payload based detections of Shodan are mostly confirmed. Yet, Nuclei finds many more vulnerable endpoints, so defenders might face massive underreporting. For Shodan’s banner-based detections, the opposite issue arises: a significant overreporting of false positives. This indicates that banner-based detections are unreliable. Moreover, three commercial services and Nuclei scans exhibit significant discrepancies. Our work has implications for industry users, policymakers, and the many academic researchers who rely on the results provided by these attack surface management services. By highlighting their shortcomings in vulnerability monitoring, this work serves as a call for action to advance and standardize such services to enhance their trustworthiness. ... Read more

This paper presents a secure and flexible process integration approach enabling distributed data fusion in military IoT applications. It seamlessly combines two recently developed technologies, the Dynamic Process Integration Framework and Martello, a Data Centric Security approach. The emphasis is on secure composition of heterogeneous services, corresponding to different types of algorithms as well as data sources that can be distributed over a system of networked computing nodes. The approach supports a relevant class of decision support functions that distil actionable information in environments characterized through dynamic constellations of sensors and computing services, limited communication bandwidth and stringent security requirements. Such functions contribute key elements of Information Driven Operation that can significantly improve the speed, quality and coverage of the OODA loops in challenging settings, such as Federated Mission Networks. ... Read more