references.bib

@article{arbaugh2000windows,
  title={Windows of vulnerability: A case study analysis},
  author={Arbaugh, William A and Fithen, William L and McHugh, John},
  journal={Computer},
  volume={33},
  number={12},
  pages={52--59},
  year={2000},
  publisher={IEEE}
}

@article{cuijpers2013prefix,
  title={Prefix orders as a general model of dynamics},
  author={Cuijpers, PJL},
  journal={Proc. of Developments in Computation Models, DCM},
  volume={13},
  pages={25--29},
  year={2013}
}

@techreport{householder2017cert,
  title={The {CERT} Guide to Coordinated Vulnerability Disclosure},
  author={Householder, Allen D and Wassermann, Garret and Manion, Art and King, Chris},
  year={2017},
  institution={Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States}
}

@techreport{cyentia2019getting,
    title={Prioritization to Prediction Volume 2: Getting Real About Remediation},
    year={2019},
    institution={Cyentia Institute, LLC},
    author={Cyentia Institute},
}

@article{brown2001interval,
  title={Interval estimation for a binomial proportion},
  author={Brown, Lawrence D and Cai, T Tony and DasGupta, Anirban},
  journal={Statistical science},
  pages={101--117},
  year={2001},
  publisher={JSTOR}
}

@article{agresti1998approximate,
  title={Approximate is better than “exact” for interval estimation of binomial proportions},
  author={Agresti, Alan and Coull, Brent A},
  journal={The American Statistician},
  volume={52},
  number={2},
  pages={119--126},
  year={1998},
  publisher={Taylor \& Francis}
}

@article{jaynes1957information,
  title={Information theory and statistical mechanics},
  author={Jaynes, Edwin T},
  journal={Physical review},
  volume={106},
  number={4},
  pages={620},
  year={1957},
  publisher={APS}
}


@misc{NVD,
  author = {NIST},
  title = {National Vulnerability Database},
  howpublished = {\url{https://nvd.nist.gov}},
  note = {Accessed: 2020-06-08}
}

@misc{certvda,
  author = {CERT Coordination Center (CERT/CC)},
  title = {{CERT} Vulnerability Data Archive},
  howpublished = {\url{https://github.com/CERTCC/Vulnerability-Data-Archive}},
  note = {Accessed: 2020-06-08}
}

@misc{metasploit,
  author = {Rapid7},
  title = {Metasploit Framework},
  howpublished = {\url{https://github.com/rapid7/metasploit-framework}},
  note = {Accessed: 2020-06-08}
}

@misc{exploitdb,
  author = {Offensive Security},
  title = {Exploit DB},
  howpublished = {\url{https://github.com/offensive-security/exploitdb}},
  note = {Accessed: 2020-06-08}
}

@article{dreef2004measuring,
  title={Measuring skill in games: Several approaches discussed},
  author={Dreef, Marcel and Borm, Peter and Van der Genugten, Ben},
  journal={Mathematical methods of operations Research},
  volume={59},
  number={3},
  pages={375--391},
  year={2004},
  publisher={Springer}
}

@article{larkey1997skill,
  title={Skill in games},
  author={Larkey, Patrick and Kadane, Joseph B and Austin, Robert and Zamir, Shmuel},
  journal={Management Science},
  volume={43},
  number={5},
  pages={596--609},
  year={1997},
  publisher={INFORMS}
}

@article{MATIN2018197,
title = "What is equitable resilience?",
journal = "World Development",
volume = "109",
pages = "197 - 205",
year = "2018",
issn = "0305-750X",
doi = "https://doi.org/10.1016/j.worlddev.2018.04.020",
url = "http://www.sciencedirect.com/science/article/pii/S0305750X18301396",
author = "Nilufar Matin and John Forrester and Jonathan Ensor",
keywords = "Subjectivity, Inclusion, Cross-scale, Transformation, Social-ecological systems, Middle-range theory",
abstract = "Resilience has attracted criticism for its failure to address social vulnerability and to engage with issues of equity and power. Here, we ask: what is equitable resilience? Our focus is on what resilience does on the ground in relation to development, adaptation and disaster management, and on identifying critical issues for engaging with equity in resilience practice. Using techniques from systematic reviews, with variants of equitable resilience as our key search terms, we carried out an analytical literature review which reveals four interconnected themes: subjectivities, inclusion, cross-scale interactions, and transformation. Drawing on this analysis, we find that ‘equitable resilience’ is increasingly likely when resilience practice takes into account issues of social vulnerability and differential access to power, knowledge, and resources; it requires starting from people’s own perception of their position within their human-environmental system, and it accounts for their realities and for their need for a change of circumstance to avoid imbalances of power into the future. Our approach moves beyond debates that focus on the ontological disconnect between resilience and social theory, to provide a definition that can be used in practice alongside resilience indicators to drive ground level interventions towards equitable outcomes. Defined in this way, equitable resilience is able to support the development of social-ecological systems that are contextually rooted, responsive to change and socially just, and thus relevant to global sustainability challenges."
}
@inproceedings{spring2020ssvc,
  title={Prioritizing vulnerability response: {A} stakeholder-specific vulnerability categorization},
  author={Jonathan M Spring and Eric Hatleback and Allen D. Householder and Art Manion and Deana Shick},
  address={Brussels, Belgium},
  year={2020},
  month = dec,
  booktitle = {Workshop on the Economics of Information Security}
}

@article{endsley1995toward,
  title={Toward a theory of situation awareness in dynamic systems},
  author={Endsley, Mica R},
  journal={Human factors},
  volume={37},
  number={1},
  pages={32--64},
  year={1995},
  publisher={SAGE Publications Sage CA: Los Angeles, CA}
}

@techreport{ncsc2018cvd,
title={Coordinated Vulnerability Disclosure: the Guideline},
author={National Cyber Security Centre},
year={2018},
month=Oct,
institution={National Cyber Security Centre, Netherlands (NCSC-NL)}
}


@misc{christey2002responsible,
  title={Responsible Vulnerability Disclosure Process},
  author={Christey, Steve and Wysopal, Chris},
  Date-Added = {2020-07-27 14:45:59 -0400},
  Date-Modified = {2020-07-27 14:47:26 -0400},
  
  Lastchecked = {27 July 2020},
  Month = {February},
  Url = {https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00},
  Year = {2002},
  howpublished = {\url{https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00}},
  note = {Accessed: 2020-07-27}
}

@misc{niac2004vul,
    title={National {I}nfrastructure {A}dvisory {C}ouncil's Vulnerability Disclosure Framework: Final Report and Recommendations},
    author={Chambers, John T. and Thomson, John W.},
    year={2004},
    howpublished = {\url{https://www.cisa.gov/publication/niac-vulnerability-framework-final-report}},
    note = {Accessed: 2020-07-27}
}
% To get this effect, use editor instead of author % %working group chairs},

@misc{first2020mpcvd,
    title={Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure},
    howpublished = {\url{https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.1}},
    note = {Accessed: 2020-07-27},
    year={2020},
    author={{}Forum of Incident Response and Security Teams}},
}

@misc{first2020psirt,
    title={Product Security Incident Response Team (PSIRT) Services Framework
Version 1.1},
    howpublished = {\url{https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1}},
    note = {Accessed: 2021-05-17},
    year={2020},
    author={{}Forum of Incident Response and Security Teams}},
}

@misc{first2019cvss31,
    title={Common Vulnerability Scoring System v3.1: Specification Document},
    howpublished = {\url{https://www.first.org/cvss/v3.1/specification-document}},
    note = {Accessed: 2021-05-18},
    year={2019},
    author={{}Forum of Incident Response and Security Teams}},
}


@misc{ms2010cvd,
    title={Announcing Coordinated Vulnerability Disclosure},
    howpublished ={\url{https://msrc-blog.microsoft.com/2010/07/22/announcing-coordinated-vulnerability-disclosure/}},
    author = {Thomlinson, Matt},
    note = {Accessed: 2021-02-26},
}

 @misc{wired2018senate, 
 title={Senators Fear Meltdown and Spectre Disclosure Gave China an Edge}, howpublished={\url{https://www.wired.com/story/meltdown-and-spectre-intel-china-disclosure/}}, 
 journal={Wired}, 
 publisher={Conde Nast}, 
 author={Newman, Lily Hay}, 
 year={2018}, 
 month={Jul}
 } 

@techreport{page1999pagerank,
  title={The PageRank citation ranking: Bringing order to the web.},
  author={Page, Lawrence and Brin, Sergey and Motwani, Rajeev and Winograd, Terry},
  year={1999},
  institution={Stanford InfoLab}
}

@misc{bradner1997rfc2119,
  title={{RFC}2119: Key words for use in {RFC}s to Indicate Requirement Levels},
  author={Bradner, Scott},
  year={1997},
  howpublished={\url{https://datatracker.ietf.org/doc/html/rfc2119}},
  publisher={RFC Editor}
}

@misc{usg2017vep,
  title="{V}ulnerabilities {E}quities {P}olicy and {P}rocess for the {U}nited {S}tates {G}overnment",
  author={United States Government},
  year={2017},
  month={Nov},
  url={https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External\%20-\%20Unclassified\%20VEP\%20Charter\%20FINAL.PDF},
  howpublished={\url{https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External\%20-\%20Unclassified\%20VEP\%20Charter\%20FINAL.PDF}},
  note={Accessed: 2021-02-22}
}

@article{jacobs2019exploit,
  title={Exploit Prediction Scoring System ({EPSS})},
  author={Jacobs, Jay and Romanosky, Sasha and Edwards, Benjamin and Roytman, Michael and Adjerid, Idris},
  journal={arXiv preprint arXiv:1908.04856},
  year={2019}
}

@misc{first2019ethics, 
    title={Ethicsf{IRST}: {E}thics for {I}ncident {R}esponse and {S}ecurity {T}eams}, 
    howpublished={\url{https://www.first.org/global/sigs/ethics/ethics-first}},
    publisher={Forum of Incident Response and Security Teams},
    author={{FIRST} {E}thics {SIG}}, 
    year={2019}, 
    month={Dec}
}


@misc{householder2015zeroday, title={Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"}, howpublished={\url{https://insights.sei.cmu.edu/cert/2015/07/like-nailing-jelly-to-the-wall-difficulties-in-defining-zero-day-exploit.html}}, journal={CERT/CC Blog}, publisher={Software Engineering Institute}, author={Householder, Allen D}, year={2015}, month={Jul}}

@article{arora2008optimal,
  title={Optimal policy for software vulnerability disclosure},
  author={Arora, Ashish and Telang, Rahul and Xu, Hao},
  journal={Management Science},
  volume={54},
  number={4},
  pages={642--656},
  year={2008},
  publisher={INFORMS}
}

@article{arora2006does,
  title={Does information security attack frequency increase with vulnerability disclosure? An empirical analysis},
  author={Arora, Ashish and Nandkumar, Anand and Telang, Rahul},
  journal={Information Systems Frontiers},
  volume={8},
  number={5},
  pages={350--362},
  year={2006},
  publisher={Springer}
}

@article{arora2010empirical,
  title={An empirical analysis of software vendors' patch release behavior: impact of vulnerability disclosure},
  author={Arora, Ashish and Krishnan, Ramayya and Telang, Rahul and Yang, Yubao},
  journal={Information Systems Research},
  volume={21},
  number={1},
  pages={115--132},
  year={2010},
  publisher={INFORMS}
}

@article{arora2006research,
  title={Research note—Sell first, fix later: Impact of patching on software quality},
  author={Arora, Ashish and Caulkins, Jonathan P and Telang, Rahul},
  journal={Management Science},
  volume={52},
  number={3},
  pages={465--471},
  year={2006},
  publisher={INFORMS}
}

@article{arora2005economics,
  title={Economics of software vulnerability disclosure},
  author={Arora, Ashish and Telang, Rahul},
  journal={IEEE Security \& Privacy},
  volume={3},
  number={1},
  pages={20--25},
  year={2005},
  publisher={IEEE}
}

@article{arora2010competition,
  title={Competition and patching of security vulnerabilities: {A}n empirical analysis},
  author={Arora, Ashish and Forman, Chris and Nandkumar, Anand and Telang, Rahul},
  journal={Information Economics and Policy},
  volume={22},
  number={2},
  pages={164--177},
  year={2010},
  publisher={Elsevier}
}

@techreport{silfversten2018economics,
  title={Economics Of Vulnerability Disclosure},
  author={Silfversten, Erik and Phillips, William D and Persi Paoli, Giacomo and Ciobanu, Cosmin},
  year={2018},
  institution={European Union Agency for Network and Information Security (ENISA)}
}

@techreport{pupillo2018software,
  title={Software Vulnerability Disclosure in {Europe}: {Technology}, Policies and Legal Challenges},
  author={Pupillo, Lorenzo and Ferreira, Afonso and Varisco, Gianluca},
  year={2018},
  institution={Center for European Policy Studies (CEPS)}
}

@article{cavusoglu2007efficiency,
  title={Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge},
  author={Cavusoglu, Hasan and Cavusoglu, Huseyin and Raghunathan, Srinivasan},
  journal={IEEE Transactions on Software Engineering},
  volume={33},
  number={3},
  pages={171--185},
  year={2007},
  publisher={IEEE}
}

@inproceedings{ozment2006milk,
  title={Milk or wine: does software security improve with age?},
  author={Ozment, Andy and Schechter, Stuart E},
  booktitle={USENIX Security Symposium},
  volume={6},
  year={2006}
}

@inproceedings{bilge2012before,
  title={Before we knew it: an empirical study of zero-day attacks in the real world},
  author={Bilge, Leyla and Dumitra{\c{s}}, Tudor},
  booktitle={Computer and communications security},
  publisher = {ACM},
  pages={833--844},
  year={2012}
}

@incollection{frei2010modeling,
  title={Modeling the security ecosystem-the dynamics of (in) security},
  author={Frei, Stefan and Schatzmann, Dominik and Plattner, Bernhard and Trammell, Brian},
  booktitle={Economics of Information Security and Privacy},
  pages={79--106},
  year={2010},
  publisher={Springer}
}

@misc{pittphilsci16041,
           month = {April},
           title = {Principles of Indifference},
          author = {Benjamin Eva},
            year = {2019},
        keywords = {Principle of Indifference, Comparative Confidence Judgements, Epistemology},
             howpublished={\url{http://philsci-archive.pitt.edu/16041/}},
        abstract = {The principle of indifference (PI) states that in the absence of any relevant evidence, a rational agent will distribute their credence (or `degrees of belief') equally amongst all the possible outcomes under consideration. Despite its intuitive plausibility, PI famously falls prey to paradox, and so is widely rejected as a principle of ideal rationality. Some authors have attempted to show that by conceiving of the epistemic states of agents in terms of imprecise credences, it is possible to overcome these paradoxes and thus to achieve a consistent rehabilitation of PI. In this article, I present an alternative rehabilitation of PI in terms of the epistemology of comparative confidence judgements of the form `I am more confident in the truth of p than I am in the truth q' or `I am equally confident in the truth of p and q'. In particular, I consider two natural comparative reformulations of PI, and argue that while one of them prescribes the adoption of patently irrational epistemic states, the other (which is only available when we drop the standard but controversial `Opinionation' assumption from the comparative confidence framework) provides a consistent formulation of PI that overcomes the fundamental limitations of all existing formulations.}
}

@inproceedings{householder2020historical,
  title={Historical Analysis of Exploit Availability Timelines},
  author={Householder, Allen D and Chrabaszcz, Jeff and Novelly, Trent and Warren, David and Spring, Jonathan M},
  booktitle={Workshop on Cyber Security Experimentation and Test},
  publisher = {USENIX},
  year={2020}
}

@techreport{ISO29147,
type = {Standard},
key = {ISO 29147:2018},
month = Oct,
year = {2018},
title = {Information technology — Security techniques — Vulnerability disclosure},
number = {29147:2018},
address = {Geneva, CH},
author = {ISO},
institution = {International Organization for Standardization}
}

@techreport{ISO30111,
type = {Standard},
key = {ISO 30111:2019},
month = Oct,
year = {2019},
title = {Information technology — Security techniques — Vulnerability handling processes},
number = {30111:2019},
address = {Geneva, CH},
author = {ISO},
institution = {International Organization for Standardization}
}

@techreport{spring2019ssvc,
  title={Prioritizing vulnerability response: {A} stakeholder-specific vulnerability categorization},
  author={Jonathan M Spring and Eric Hatleback and Allen D. Householder and Art Manion and Deana Shick},
  institution={Software Engineering Institute, Carnegie Mellon University},
  address={Pittsburgh, PA},
  howpublished = {\url{https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379}},
  date={2019-12},
  year={2019}
}

@techreport{spring2021ssvc,
  title={Prioritizing vulnerability response: {A} stakeholder-specific vulnerability categorization (Version 2.0)},
  author={Jonathan M Spring and Allen Householder and Eric Hatleback and Art Manion ad Madison Oliver and Vijay Sarvapalli and Laurie Tyzenhaus and Charles Yarbrough},
  institution={Software Engineering Institute, Carnegie Mellon University},
  address={Pittsburgh, PA},
  howpublished = {\url{https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459}},
  date={2021-04},
  year={2021}
}

@inbook{ellis2018fixing,
	Author = {Ryan Ellis and Keman Huang and Michael Siegel and Katie Moussouris and James Houghton},
	Chapter = {Fixing a Hole: The Labor Market for Bugs.},
	Date-Added = {2020-09-15 11:28:10 -0400},
	Date-Modified = {2020-09-15 11:29:53 -0400},
	Editor = {Shrobe, Howard and Shrier, David L. and Pentland, Alex},
	Pages = {129-159},
	Publisher = {MIT Press},
	Title = {New Solutions for Cybersecurity},
	Year = {2018}}


@misc{ntia_sbom,
    Author = {National Telecommunications and Information Administration},
    Title = {Software Bill of Materials},
    howpublished = {\url{https://www.ntia.gov/SBOM}},
    note = {Accessed: 2021-05-18},
}

@misc{spdx,
    Author = {Linux Foundation},
    Title = {The Software Package Data Exchange ({SPDX})},
    howpublished = {\url{https://spdx.dev/}},
    note = {Accessed: 2021-05-18},
}

@misc{cyclonedx,
    Author = {CycloneDX Project},
    Title = {Cyclone{DX}},
    howpublished = {\url{https://cyclonedx.org/}},
    note = {Accessed: 2021-05-18},
}
@misc{nist_swid,
    Author = {National Institute of Standards and Technology},
    Title = {Software Identification ({SWID}) Tagging},
    howpublished = {\url{https://csrc.nist.gov/projects/Software-Identification-SWID}},
    note = {Accessed: 2021-05-18},
}


@misc{luta2020,
	Author = {Luta Security},
	Date-Added = {2020-09-17 15:31:37 -0400},
	Date-Modified = {2020-09-17 15:33:06 -0400},
	Institution = {Luta Security},
	Title = {Vulnerability Coordination Security Model},
    howpublished = {\url{https://www.lutasecurity.com/vcmm}},
    note = {Accessed: 2020-09-17},
  	Year = {2020}}

@misc{stempfley2017,
    Author = {Roberta Stempfley},
    Institution = {Software Engineering Institute},
    Title = {Letter in response to {Representative Walden} and {Senator Thune}},
    howpublished = {\url{https://republicans-energycommerce.house.gov/wp-content/uploads/2018/08/CERT-Response-MultiParty-CVD-Congressional-Letter.pdf}},
    note = {Accessed: 2020-09-30},
    Year = {2017}}

@article{reutlinger2018toymodels,
author = {Reutlinger, Alexander and Hangleiter, Dominik and Hartmann, Stephan},
title = {Understanding (with) Toy Models},
journal = {The British Journal for the Philosophy of Science},
volume = {69},
number = {4},
pages = {1069-1099},
year = {2018},
doi = {10.1093/bjps/axx005},

URL = { 
        https://doi.org/10.1093/bjps/axx005
    
},
eprint = { 
        https://doi.org/10.1093/bjps/axx005
    
}
,
    abstract = { AbstractToy models are highly idealized and extremely simple models. Although they are omnipresent across scientific disciplines, toy models are a surprisingly under-appreciated subject in the philosophy of science. The main philosophical puzzle regarding toy models concerns what the epistemic goal of toy modelling is. One promising proposal for answering this question is the claim that the epistemic goal of toy models is to provide individual scientists with understanding. The aim of this article is to precisely articulate and to defend this claim. In particular, we will distinguish between autonomous and embedded toy models, and then argue that important examples of autonomous toy models are sometimes best interpreted to provide how-possibly understanding, while embedded toy models yield how-actually understanding, if certain conditions are satisfied. 1 Introduction2 Embedded and Autonomous Toy Models  2.1 Embedded toy models  2.2 Autonomous toy models  2.3 Qualification3 A Theory of Understanding for Toy Models  3.1 Preliminaries and requirements  3.2 The refined simple view4 Two Kinds of Understanding with Toy Models  4.1 Embedded toy models and how-actually understanding  4.2 Against a how-actually interpretation of all autonomous toy models  4.3 The how-possibly interpretation of some autonomous toy models5 Conclusion }
}

@article{luczak2017toymodels,
title = {Talk about toy models},
journal = {Studies in History and Philosophy of Science Part B: Studies in History and Philosophy of Modern Physics},
volume = {57},
pages = {1-7},
year = {2017},
issn = {1355-2198},
doi = {https://doi.org/10.1016/j.shpsb.2016.11.002},
url = {https://www.sciencedirect.com/science/article/pii/S1355219816300260},
author = {Joshua Luczak},
abstract = {Scientific models are frequently discussed in philosophy of science. A great deal of the discussion is centred on approximation, idealisation, and on how these models achieve their representational function. Despite the importance, distinct nature, and high presence of toy models, they have received little attention from philosophers. This paper hopes to remedy this situation. It aims to elevate the status of toy models: by distinguishing them from approximations and idealisations, by highlighting and elaborating on several ways the Kac ring, a simple statistical mechanical model, is used as a toy model, and by explaining why toy models can be used to successfully carry out important work without performing a representational function.}
}

@inproceedings{moore2019multi,
  title={Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem},
  author={Moore, Andrew P and Householder, Allen D},
  year={2019},
  booktitle={37th International Conference of the System Dynamics Society},
}

@phdthesis{lewis2017global,
  title={The global vulnerability discovery and disclosure system: a thematic system dynamics approach},
  author={Lewis, Paul Simon},
  year={2017},
  school={Cranfield University}
}

@article{lewis2016software,
  title={Software vulnerability discovery and disclosure system: a systems dynamics approach},
  author={Lewis, Paul},
  year={2016},
  publisher={Cranfield Online Research Data (CORD)}
}

@article{lewis2015statistical,
  title={A statistical analysis of vulnerability discovery: Microsoft operating systems},
  author={Lewis, P and Hilton, J},
  journal={Engineering \& Technology Reference},
  year={2015}
}

@misc{Lewis2014empirical,
author = {Lewis, PS},
title = {Empirical Analysis of the Vulnerability Discovery System},
type = {Poster},
year = {2014}
}

@InCollection{sep-utilitarianism-history,
	author       =	{Driver, Julia},
	title        =	{{The History of Utilitarianism}},
	booktitle    =	{The {Stanford} Encyclopedia of Philosophy},
	editor       =	{Edward N. Zalta},
	howpublished =	{\url{https://plato.stanford.edu/archives/win2014/entries/utilitarianism-history/}},
	year         =	{2014},
	edition      =	{{W}inter 2014},
	publisher    =	{Metaphysics Research Lab, Stanford University}
}

@book{gawande2011checklist, 
    place={London, England}, 
    title={The checklist manifesto: How to get things right}, 
    ISBN={9781846683145}, 
    publisher={Profile Books}, 
    author={Gawande, Atul}, 
    year={2011} 
}

@inproceedings{xu2020patch,
  title={Patch based vulnerability matching for binary programs},
  author={Xu, Yifei and Xu, Zhengzi and Chen, Bihuan and Song, Fu and Liu, Yang and Liu, Ting},
  booktitle={Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis},
  pages={376--387},
  year={2020}
}

@inproceedings{xiao2020mvp,
  title={MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures},
  author={Xiao, Yang and Chen, Bihuan and Yu, Chendong and Xu, Zhengzi and Yuan, Zimu and Li, Feng and Liu, Binghong and Liu, Yang and Huo, Wei and Zou, Wei and others},
  booktitle={29th USENIX Security Symposium (USENIX Security 20)},
  pages={1165--1182},
  year={2020}
}

@article{jacobs2020epss,
    author = {Jacobs, Jay and Romanosky, Sasha and Adjerid, Idris and Baker, Wade},
    title = "{Improving vulnerability remediation through better exploit prediction}",
    journal = {Journal of Cybersecurity},
    volume = {6},
    number = {1},
    year = {2020},
    month = {09},
    abstract = "{Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest ‘coverage’ of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly ‘efficient’, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of ‘published exploits’, by instead using ‘exploits in the wild’ as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks.}",
    issn = {2057-2085},
    doi = {10.1093/cybsec/tyaa015},
    url = {https://doi.org/10.1093/cybsec/tyaa015},
    note = {tyaa015},
    eprint = {https://academic.oup.com/cybersecurity/article-pdf/6/1/tyaa015/33746021/tyaa015.pdf},
}




@article{angell1991ingelfinger,
author = {Angell, Marcia and Kassirer, Jerome P.},
title = {The Ingelfinger Rule Revisited},
journal = {New England Journal of Medicine},
volume = {325},
number = {19},
pages = {1371-1373},
year = {1991},
doi = {10.1056/NEJM199111073251910},
    note ={PMID: 1669838},

URL = { 
        https://doi.org/10.1056/NEJM199111073251910
    
},
eprint = { 
        https://doi.org/10.1056/NEJM199111073251910
    
}

}

 @misc{delkic2018embargo, title={Ready, Set, Embargo}, howpublished={\url{https://www.nytimes.com/2018/08/11/insider/embargoes-reporting.html}}, journal={The New York Times}, publisher={The New York Times}, author={Delkic, Melina}, year={2018}, month={Aug}} 

 @misc{oransky2016embargo, title={Why science news embargoes are bad for the public}, howpublished={\url{https://www.vox.com/science-and-health/2016/11/29/13765458/science-news-embargoes-bad-for-public}}, journal={Vox}, publisher={Vox Media, LLC}, author={Oransky, Ivan}, year={2016}, month={Nov}} 
 
 @book{kandar2013automata,
abstract = {Formal languages and automata theory is the study of abstract machines and how these can be used for solving problems. The book has a simple and exhaustive approach to topics like automata theory, formal languages and theory of computation. These descriptions are followed by numerous relevant examples related to the topic. A brief introductory chapter on compilers explaining its relation to theory of computation is also given.},
author = {Kandar, Shyamalendu},
address = {},
edition = {1st edition},
isbn = {81-317-9351-6},
keywords = {Mathematics},
language = {eng},
publisher = {Pearson},
series = {Always learning},
title = {Introduction to automata theory, formal languages and computation},
year = {2013}
}

@misc{ars2012forever,
    title = {Rise of ``forever day'' bugs in industrial systems threatens critical infrastructure},
    author = {Goodin, Dan},
    journal = {Ars Technica},
    publisher = {Conde Nast},
    year = {2012},
    month = {April},
    day = {9},
    url = {https://arstechnica.com/information-technology/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure/},
    howpublished={\url{https://arstechnica.com/information-technology/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure/}},
    note = {Accessed: 2021-06-10}
}