{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:27:01Z","timestamp":1780633621366,"version":"3.54.1"},"reference-count":101,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T00:00:00Z","timestamp":1688083200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,6,30]]},"abstract":"<jats:p>\n            Bug bounty programmes and vulnerability disclosure programmes, collectively referred to as Coordinated Vulnerability Disclosure (CVD) programmes, open up an organisation\u2019s assets to the inquisitive gaze of (often eager) white-hat hackers. Motivated by the question\n            <jats:italic>What information do organisations convey to hackers through public CVD policy documents?<\/jats:italic>\n            , we aim to better understand the information available to hackers wishing to participate in the search for vulnerabilities. As such, in this article we consider three key issues. First, to address the differences in the legal language communicated to hackers, it is necessary to understand the formal constraints by which hackers must abide. Second, it is beneficial to understand the variation that exists in the informal constraints that are communicated to hackers through a variety of institutional elements. Third, for organisations wishing to better understand the commonplace elements that form current policy documents, we offer broad analysis of the components frequently included therein and identify gaps in programme policies.\n          <\/jats:p>\n          <jats:p>We report the results of a quantitative study, leveraging deep learning based natural language processing models, providing insights into the policy documents that accompany the CVD programmes of thousands of organisations, covering both stand-alone programmes and those hosted on 13 bug bounty programmes. We found that organisations often inadequately convey the formal constraints that are applicable to hackers, requiring hackers to have a deep understanding of the laws that underpin safe and legal security research. Furthermore, a lack of standardisation across similar policy components is prevalent, and may lead to a decreased understanding of the informal constraints placed upon hackers when searching for and disclosing vulnerabilities. Analysis of the institutional elements included in the policy documents of organisations reveals insufficient inclusion of many key components. Namely, legal information and information pertaining to restrictions on the backgrounds of hackers is found to be absent in a majority of policies analysed. Finally, to assist ongoing research, we provide novel annotated policy datasets that include human-labelled annotations at both the sentence and paragraph level, covering a broad range of CVD programme backgrounds.<\/jats:p>","DOI":"10.1145\/3586180","type":"journal-article","created":{"date-parts":[[2023,3,24]],"date-time":"2023-03-24T04:29:44Z","timestamp":1679632184000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9805-3156","authenticated-orcid":false,"given":"Thomas","family":"Walshe","sequence":"first","affiliation":[{"name":"University of Oxford"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3597-2232","authenticated-orcid":false,"given":"Andrew","family":"Simpson","sequence":"additional","affiliation":[{"name":"University of Oxford"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,8,10]]},"reference":[{"key":"e_1_3_4_2_2","doi-asserted-by":"publisher","DOI":"10.1002\/wics.101"},{"issue":"2","key":"e_1_3_4_3_2","first-page":"12","article-title":"A survey of the state of cloud computing in healthcare","volume":"1","author":"Ahuja Sanjay P.","year":"2012","unstructured":"Sanjay P. Ahuja, Sindhu Mani, and Jesus Zambrano. 2012. A survey of the state of cloud computing in healthcare. Network and Communication Technologies 1, 2 (2012), 12.","journal-title":"Network and Communication Technologies"},{"key":"e_1_3_4_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-214850-7.50022-X"},{"key":"e_1_3_4_5_2","first-page":"1","volume-title":"Proceedings of the 6th Workshop on Security Information Workers","author":"Akgul Omer","year":"2020","unstructured":"Omer Akgul, Taha Eghtesad, Amit Elazari, Omprakash Gnawali, Jens Grossklags, Daniel Votipka, and Aron Laszka. 2020. The hackers\u2019 viewpoint: Exploring challenges and benefits of bug-bounty programs. In Proceedings of the 6th Workshop on Security Information Workers. 1\u20137."},{"key":"e_1_3_4_6_2","first-page":"230","volume-title":"Proceedings of the Pacific Asia Conference on Information Systems (PACIS\u201918)","author":"Al-Banna Mortada","year":"2018","unstructured":"Mortada Al-Banna, Boualem Benatallah, Daniel Schlagwein, Elisa Bertino, and Moshe Chai Barukh. 2018. Friendly hackers to the rescue: How organizations perceive crowdsourced vulnerability discovery. In Proceedings of the Pacific Asia Conference on Information Systems (PACIS\u201918). 230."},{"key":"e_1_3_4_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3039833"},{"key":"e_1_3_4_8_2","doi-asserted-by":"publisher","DOI":"10.1515\/9781400879762-024"},{"key":"e_1_3_4_9_2","first-page":"281","volume-title":"Proceedings of the 14th Symposium on Usable Privacy and Security (SOUPS\u201918)","author":"Assal Hala","year":"2018","unstructured":"Hala Assal and Sonia Chiasson. 2018. Security in the software development lifecycle. In Proceedings of the 14th Symposium on Usable Privacy and Security (SOUPS\u201918). 281\u2013296."},{"key":"e_1_3_4_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.spinee.2020.10.006"},{"key":"e_1_3_4_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/2723872.2723882"},{"key":"e_1_3_4_12_2","article-title":"CharacterBERT: Reconciling ELMo and BERT for word-level open-vocabulary representations from characters","author":"Boukkouri Hicham El","year":"2020","unstructured":"Hicham El Boukkouri, Olivier Ferret, Thomas Lavergne, Hiroshi Noji, Pierre Zweigenbaum, and Junichi Tsujii. 2020. CharacterBERT: Reconciling ELMo and BERT for word-level open-vocabulary representations from characters. arXiv preprint arXiv:2010.10392 (2020).","journal-title":"arXiv preprint arXiv:2010.10392"},{"key":"e_1_3_4_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2007.26"},{"key":"e_1_3_4_14_2","first-page":"43","article-title":"Competing jurisdictions: Data privacy across the borders","author":"Celeste Edoardo","year":"2020","unstructured":"Edoardo Celeste and Federico Fabbrini. 2020. Competing jurisdictions: Data privacy across the borders. In Data Privacy and Trust in Cloud Computing. Palgrave Studies in Digital Business & Enabling Technologies. Springer, 43\u201358.","journal-title":"Data Privacy and Trust in Cloud Computing."},{"key":"e_1_3_4_15_2","volume-title":"Bug Bounty Programs: Analyzing the Future of Vulnerability Research","author":"Christian Joseph L.","year":"2018","unstructured":"Joseph L. Christian. 2018. Bug Bounty Programs: Analyzing the Future of Vulnerability Research. Ph.D. Dissertation. Utica College."},{"key":"e_1_3_4_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/32.6190"},{"key":"e_1_3_4_17_2","unstructured":"Katja C. DeGroot. 1990. An overview of recent changes in California computer crime laws: The criminalization of computer contamination and strengthened penalty provisions. California Penal Code Sections 502 502.01 1203.047 1203.048."},{"key":"e_1_3_4_18_2","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin Jacob","year":"2018","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).","journal-title":"arXiv preprint arXiv:1810.04805"},{"key":"e_1_3_4_19_2","unstructured":"Disclose. 2022. Safe Harbour. Retrieved February 12 2022 from https:\/\/github.com\/disclose\/policymaker\/blob\/main\/static\/templates\/disclose-io-safe-harbor\/en-US.md."},{"key":"e_1_3_4_20_2","unstructured":"Disclose. 2022. Simple Safe Harbour. Retrieved February 12 2022 from https:\/\/github.com\/disclose\/policymaker\/blob\/main\/static\/templates\/disclose-io-simple-safe-harbor\/en-US.md."},{"key":"e_1_3_4_21_2","unstructured":"Amit Elazari. 2018. Hacking the law: Are bug bounties a true safe harbor? USENIX . Retrieved March 29 2023 from https:\/\/www.usenix.org\/conference\/enigma2018\/presentation\/elazari."},{"key":"e_1_3_4_22_2","article-title":"Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA \u00a71201.","author":"Etcovitch Daniel","year":"2018","unstructured":"Daniel Etcovitch and Thyla van der Merwe. 2018. Coming in from the Cold: A Safe Harbor from the CFAA and the DMCA \u00a71201. Publication No. 2018-4. Berkman Klein Center.","journal-title":"Publication No. 2018-4"},{"key":"e_1_3_4_23_2","first-page":"273","volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913)","author":"Finifter Matthew","year":"2013","unstructured":"Matthew Finifter, Devdatta Akhawe, and David Wagner. 2013. An empirical study of vulnerability rewards programs. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913). 273\u2013288."},{"key":"e_1_3_4_24_2","volume-title":"Proceedings of the 2019 RSA Conference","author":"Fisk Peter","year":"2019","unstructured":"Peter Fisk. 2019. De-bugging legal issues in bug bounty programs and VDP. In Proceedings of the 2019 RSA Conference."},{"key":"e_1_3_4_25_2","doi-asserted-by":"publisher","DOI":"10.1037\/h0057532"},{"key":"e_1_3_4_26_2","article-title":"Enabling end-to-end machine learning replicability: A case study in educational data mining","author":"Gardner Josh","year":"2018","unstructured":"Josh Gardner, Yuming Yang, Ryan Baker, and Christopher Brooks. 2018. Enabling end-to-end machine learning replicability: A case study in educational data mining. arXiv preprint arXiv:1806.05208 (2018).","journal-title":"arXiv preprint arXiv:1806.05208"},{"key":"e_1_3_4_27_2","doi-asserted-by":"crossref","unstructured":"Eric Goldman. 2020. An Introduction to the California Consumer Privacy Act (CCPA) . Santa Clara University.","DOI":"10.4337\/9781788119924.00025"},{"key":"e_1_3_4_28_2","first-page":"524","volume-title":"Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions","author":"Gordon Damian","year":"2012","unstructured":"Damian Gordon. 2012. Hackers and Hollywood 2: Considering televisual cyberthreats in security risk analysis. In Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions. IEEE, Los Alamitos, CA, 524\u2013527."},{"key":"e_1_3_4_29_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11503"},{"key":"e_1_3_4_30_2","unstructured":"HackerOne. 2019. The 2019 Hacker Report. Retrieved September 23 2019 from https:\/\/www.hackerone.com\/sites\/default\/files\/2019-02\/the-2019-hacker-report_3.pdf."},{"key":"e_1_3_4_31_2","unstructured":"HackerOne. 2022. Product Offerings. Retrieved February 12 2022 from https:\/\/docs.hackerone.com\/programs\/product-offerings.html."},{"key":"e_1_3_4_32_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.is.2014.07.006"},{"key":"e_1_3_4_33_2","doi-asserted-by":"publisher","DOI":"10.1038\/s41592-021-01256-7"},{"key":"e_1_3_4_34_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11694"},{"key":"e_1_3_4_35_2","doi-asserted-by":"publisher","DOI":"10.1080\/00213624.2006.11506879"},{"key":"e_1_3_4_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.95"},{"issue":"10","key":"e_1_3_4_37_2","first-page":"2957","article-title":"Industry 4.0 and cyber security issues and challenges","volume":"12","year":"2021","unstructured":"Mamoona Humayun, N. Z. Jhanjhi, Muhammad Nabil Talib, M. H. Shah, and G. Sussendran. 2021. Industry 4.0 and cyber security issues and challenges. Turkish Journal of Computer and Mathematics Education 12, 10 (2021), 2957\u20132971.","journal-title":"Turkish Journal of Computer and Mathematics Education"},{"issue":"4","key":"e_1_3_4_38_2","first-page":"95","article-title":"A survey on the state-of-the-art machine learning models in the context of NLP","volume":"43","author":"Khan Wahab","year":"2016","unstructured":"Wahab Khan, Ali Daud, Jamal A. Nasir, and Tehmina Amjad. 2016. A survey on the state-of-the-art machine learning models in the context of NLP. Kuwait Journal of Science 43, 4 (2016), 95\u2013113.","journal-title":"Kuwait Journal of Science"},{"key":"e_1_3_4_39_2","doi-asserted-by":"publisher","DOI":"10.21236\/ADA006655"},{"key":"e_1_3_4_40_2","volume-title":"The Practice of Reproducible Research: Case Studies and Lessons from the Data-Intensive Sciences","author":"Kitzes Justin","year":"2018","unstructured":"Justin Kitzes, Daniel Turek, and Fatma Deniz. 2018. The Practice of Reproducible Research: Case Studies and Lessons from the Data-Intensive Sciences. University of California Press."},{"key":"e_1_3_4_41_2","doi-asserted-by":"publisher","DOI":"10.1086\/scer.14.3655314"},{"key":"e_1_3_4_42_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.2418812"},{"key":"e_1_3_4_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-58387-6_8"},{"key":"e_1_3_4_44_2","article-title":"California Consumer Privacy Act","author":"Legislation. California","year":"2018","unstructured":"California Legislation.2018. California Consumer Privacy Act. California Civil Code, Section 1798.100.","journal-title":"California Civil Code, Section 1798.100."},{"key":"e_1_3_4_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2020.2981314"},{"key":"e_1_3_4_46_2","article-title":"Dice loss for data-imbalanced NLP tasks","author":"Li Xiaoya","year":"2019","unstructured":"Xiaoya Li, Xiaofei Sun, Yuxian Meng, Junjun Liang, Fei Wu, and Jiwei Li. 2019. Dice loss for data-imbalanced NLP tasks. arXiv preprint arXiv:1911.02855 (2019).","journal-title":"arXiv preprint arXiv:1911.02855"},{"key":"e_1_3_4_47_2","article-title":"On the replicability and reproducibility of deep learning in software engineering","author":"Liu Chao","year":"2020","unstructured":"Chao Liu, Cuiyun Gao, Xin Xia, David Lo, John Grundy, and Xiaohu Yang. 2020. On the replicability and reproducibility of deep learning in software engineering. arXiv preprint arXiv:2006.14244 (2020).","journal-title":"arXiv preprint arXiv:2006.14244"},{"key":"e_1_3_4_48_2","article-title":"RoBERTa: A robustly optimized BERT pretraining approach","author":"Liu Yinhan","year":"2019","unstructured":"Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. 2019. RoBERTa: A robustly optimized BERT pretraining approach. arXiv preprint arXiv:1907.11692 (2019).","journal-title":"arXiv preprint arXiv:1907.11692"},{"key":"e_1_3_4_49_2","doi-asserted-by":"publisher","DOI":"10.2196\/jmir.5870"},{"key":"e_1_3_4_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2018.2880508"},{"key":"e_1_3_4_51_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.repl4nlp-1.15"},{"key":"e_1_3_4_52_2","unstructured":"Microsoft. 2022. Security Development Lifecycle. Retrieved May 27 2022 from https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/about."},{"key":"e_1_3_4_53_2","volume-title":"Proceedings of the 6th Workshop on the Economics of Information Security.","author":"Miller Charles","year":"2007","unstructured":"Charles Miller. 2007. The legitimate vulnerability market: The secretive world of 0-day exploit sales. In Proceedings of the 6th Workshop on the Economics of Information Security."},{"key":"e_1_3_4_54_2","doi-asserted-by":"publisher","DOI":"10.1075\/li.30.1.03nad"},{"key":"e_1_3_4_55_2","doi-asserted-by":"publisher","DOI":"10.1007\/11766247_23"},{"key":"e_1_3_4_56_2","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511808678"},{"key":"e_1_3_4_57_2","doi-asserted-by":"publisher","DOI":"10.1080\/08874417.2020.1833379"},{"key":"e_1_3_4_58_2","doi-asserted-by":"publisher","DOI":"10.3389\/fpsyg.2019.02970"},{"key":"e_1_3_4_59_2","unstructured":"OWASP. 2022. OWASP Security Knowledge Framework. Retrieved May 27 2022 from https:\/\/owasp.org\/www-project-security-knowledge-framework\/."},{"key":"e_1_3_4_60_2","first-page":"68","article-title":"The California Consumer Privacy Act: Towards a European-style privacy regime in the United States","volume":"23","author":"Pardau Stuart L.","year":"2018","unstructured":"Stuart L. Pardau. 2018. The California Consumer Privacy Act: Towards a European-style privacy regime in the United States. Journal of Technology Law & Policy 23 (2018), 68.","journal-title":"Journal of Technology Law & Policy"},{"key":"e_1_3_4_61_2","unstructured":"Legislation.gov.uk. 1990. Computer Misuse Act 1990 (c. 18). Retrieved March 29 2023 from https:\/\/www.legislation.gov.uk\/ukpga\/1990\/18."},{"key":"e_1_3_4_62_2","doi-asserted-by":"publisher","DOI":"10.1158\/1078-0432.CCR-18-0385"},{"key":"e_1_3_4_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2022.3148714"},{"key":"e_1_3_4_64_2","first-page":"1","article-title":"Improving reproducibility in machine learning research: A report from the NeurIPS 2019 reproducibility program","volume":"22","author":"Pineau Joelle","year":"2021","unstructured":"Joelle Pineau, Philippe Vincent-Lamarre, Koustuv Sinha, Vincent Larivi\u00e8re, Alina Beygelzimer, Florence d\u2019Alch\u00e9 Buc, Emily Fox, and Hugo Larochelle. 2021. Improving reproducibility in machine learning research: A report from the NeurIPS 2019 reproducibility program. Journal of Machine Learning Research 22 (2021), 1\u201320.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_4_65_2","volume-title":"Software Engineering: A Practitioner\u2019s Approach","author":"Pressman Roger S.","year":"2005","unstructured":"Roger S. Pressman. 2005. Software Engineering: A Practitioner\u2019s Approach. Palgrave Macmillan."},{"key":"e_1_3_4_66_2","doi-asserted-by":"publisher","DOI":"10.1007\/s12130-999-1026-0"},{"key":"e_1_3_4_67_2","doi-asserted-by":"publisher","DOI":"10.1145\/1764810.1764814"},{"key":"e_1_3_4_68_2","unstructured":"Amy Terry Sheehan. 2017. Proactive steps to prevent legal pitfalls in bug bounty programs. Cybersecurity Law Report 3 7 (2017) 1\u20133."},{"issue":"81","key":"e_1_3_4_69_2","first-page":"2443","article-title":"The need for open source software in machine learning","volume":"8","author":"Sonnenburg Soren","year":"2007","unstructured":"Soren Sonnenburg, Mikio L. Braun, Cheng Soon Ong, Samy Bengio, Leon Bottou, Geoffrey Holmes, Yann LeCunn, et\u00a0al. 2007. The need for open source software in machine learning. Journal of Machine Learning Research 8, 81 (2007), 2443\u20132466.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_4_70_2","volume-title":"Natural Language Processing and Computational Linguistics: A Practical Guide to Text Analysis with Python, Gensim, spaCy, and Keras","author":"Srinivasa-Desikan Bhargav","year":"2018","unstructured":"Bhargav Srinivasa-Desikan. 2018. Natural Language Processing and Computational Linguistics: A Practical Guide to Text Analysis with Python, Gensim, spaCy, and Keras. Packt Publishing Ltd."},{"issue":"1","key":"e_1_3_4_71_2","first-page":"62","article-title":"Unseen war?: Hackers, tactical media, and their depiction in Hollywood cinema","volume":"2","author":"Sta\u0144czyk Marta","year":"2017","unstructured":"Marta Sta\u0144czyk. 2017. Unseen war?: Hackers, tactical media, and their depiction in Hollywood cinema. TransMissions: The Journal of Film and Media Studies 2, 1 (2017), 62\u201377.","journal-title":"TransMissions: The Journal of Film and Media Studies"},{"key":"e_1_3_4_72_2","unstructured":"Synopsys. 2017. BSIMM6: Building Security in Maturity Model Version 6. Retrieved March 4 2022 from https:\/\/www.inf.ed.ac.uk\/teaching\/courses\/sp\/2015\/lecs\/BSIMM6.pdf."},{"key":"e_1_3_4_73_2","unstructured":"Synopsys. 2020. BSIMM9: Building Security in Maturity Model Version 9. Retrieved December 18 2019 from https:\/\/www.bsimm.com\/download\/."},{"key":"e_1_3_4_74_2","unstructured":"Synopsys. 2021. BSIMM12 2021 Foundations Report. Retrieved March 4 2022 from https:\/\/www.bsimm.com\/content\/dam\/bsimm\/reports\/bsimm12-foundations.pdf."},{"key":"e_1_3_4_75_2","unstructured":"Synopsys. 2021. BSIMM12: Building Security in Maturity Model Version 12. Retrieved March 4 2022 from https:\/\/www.bsimm.com\/download\/."},{"key":"e_1_3_4_76_2","article-title":"Comprehensive Computer Data Access and Fraud Act","author":"Legislature. California","year":"1989","unstructured":"California Legislature.1989. Comprehensive Computer Data Access and Fraud Act. California Penal Code, Section 502.","journal-title":"California Penal Code, Section 502."},{"key":"e_1_3_4_77_2","unstructured":"Center for Democracy and Technology. 2022. Taking the Pulse of Hacking: A Risk Basis for Security Research. Retrieved May 27 2022 from https:\/\/cdt.org\/insights\/report-taking-the-pulse-of-hacking-a-risk-basis-for-security-research\/."},{"key":"e_1_3_4_78_2","first-page":"1","article-title":"Regulation (EU) 2016\/679 of the European Parliament and of the Council","volume":"679","author":"Union European","year":"2016","unstructured":"European Union. 2016. Regulation (EU) 2016\/679 of the European Parliament and of the Council. Official Journal of the European Union 679 (2016), 1\u201388.","journal-title":"Official Journal of the European Union"},{"key":"e_1_3_4_79_2","unstructured":"Foreign & Commonwealth Office. n.d. Guidance\u2014UK Sanctions. Retrieved December 18 2022 from https:\/\/www.gov.uk\/guidance\/uk-sanctions."},{"key":"e_1_3_4_80_2","unstructured":"National Institute of Standards and Technology. 2022. Secure Software Development Framework. Retrieved May 27 2022 from https:\/\/csrc.nist.gov\/Projects\/ssdf."},{"key":"e_1_3_4_81_2","unstructured":"National Telecommunications and Information Administration. 2016. Vulnerability Disclosure Attitudes and Actions. Retrieved May 27 2022 from https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf."},{"key":"e_1_3_4_82_2","unstructured":"Senate Committee on the Judiciary. 1986. The Computer Fraud and Abuse Act of 1986 . United States Congress."},{"key":"e_1_3_4_83_2","unstructured":"Senate Committee on the Judiciary. 1996. The National Information Infrastructure Protection Act of 1996 . United States Congress."},{"key":"e_1_3_4_84_2","unstructured":"Senate Committee on the Judiciary. 1998. The Digital Millennium Copyright Act of 1998 . United States Congress."},{"key":"e_1_3_4_85_2","unstructured":"Senate Committee on the Judiciary. 2020. The Anti-Money Laundering Act of 2020 . United States Congress."},{"key":"e_1_3_4_86_2","unstructured":"The Software Alliance. 2022. BSA Framework for Secure Software. Retrieved May 27 2022 from https:\/\/www.bsa.org\/reports\/updated-bsa-framework-for-secure-software."},{"key":"e_1_3_4_87_2","unstructured":"U.S. Department of the Treasury. 2022. Office of Foreign Assets Control\u2014Sanctions Programs and Information. Retrieved February 21 2022 from https:\/\/home.treasury.gov\/policy-issues\/office-of-foreign-assets-control-sanctions-programs-and-information."},{"key":"e_1_3_4_88_2","article-title":"Best practices for managing data annotation projects","author":"Tseng Tina","year":"2020","unstructured":"Tina Tseng, Amanda Stent, and Domenic Maida. 2020. Best practices for managing data annotation projects. arXiv preprint arXiv:2009.11654 (2020).","journal-title":"arXiv preprint arXiv:2009.11654"},{"issue":"86","key":"e_1_3_4_89_2","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Maaten Laurens Van der","year":"2008","unstructured":"Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of Machine Learning Research 9, 86 (2008), 2579\u20132605.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_4_90_2","article-title":"Attention is all you need","volume":"30","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems 30 (2017).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_4_91_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00003"},{"key":"e_1_3_4_92_2","doi-asserted-by":"publisher","DOI":"10.1109\/IBF50092.2020.9034828"},{"key":"e_1_3_4_93_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102936"},{"key":"e_1_3_4_94_2","doi-asserted-by":"publisher","DOI":"10.1145\/3477314.3506968"},{"key":"e_1_3_4_95_2","unstructured":"Jake Weidman and Jens Grossklags. 2018. What\u2019s in your policy? An analysis of the current state of information security policies in academic institutions. In Proceedings of the 26th European Conference on Information Systems . 1\u201316."},{"key":"e_1_3_4_96_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11127-009-9399-x"},{"key":"e_1_3_4_97_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbi.2020.103481"},{"key":"e_1_3_4_98_2","article-title":"Comparing CNN and LSTM character-level embeddings in BiLSTM-CRF models for chemical and disease named entity recognition","author":"Zhai Zenan","year":"2018","unstructured":"Zenan Zhai, Dat Quoc Nguyen, and Karin Verspoor. 2018. Comparing CNN and LSTM character-level embeddings in BiLSTM-CRF models for chemical and disease named entity recognition. arXiv preprint arXiv:1808.08450 (2018).","journal-title":"arXiv preprint arXiv:1808.08450"},{"key":"e_1_3_4_99_2","article-title":"OPT: Open pre-trained transformer language models","author":"Zhang Susan","year":"2022","unstructured":"Susan Zhang, Stephen Roller, Naman Goyal, Mikel Artetxe, Moya Chen, Shuohui Chen, Christopher Dewan, et\u00a0al. 2022. OPT: Open pre-trained transformer language models. arXiv preprint arXiv:2205.01068 (2022).","journal-title":"arXiv preprint arXiv:2205.01068"},{"key":"e_1_3_4_100_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813704"},{"key":"e_1_3_4_101_2","doi-asserted-by":"publisher","DOI":"10.5325\/jinfopoli.7.1.0372"},{"key":"e_1_3_4_102_2","volume-title":"Proceedings of the HCOMP Workshop on Mathematical Foundations of Human Computation","author":"Zhao Mingyi","year":"2016","unstructured":"Mingyi Zhao, Aron Laszka, Thomas Maillart, and Jens Grossklags. 2016. Crowdsourced security vulnerability discovery: Modeling and organizing bug-bounty programs. In Proceedings of the HCOMP Workshop on Mathematical Foundations of Human Computation."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3586180","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3586180","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:08:12Z","timestamp":1750183692000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3586180"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,30]]},"references-count":101,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,6,30]]}},"alternative-id":["10.1145\/3586180"],"URL":"https:\/\/doi.org\/10.1145\/3586180","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,30]]},"assertion":[{"value":"2022-06-21","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-01-26","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}