Feasibility of Large-Scale Vulnerability Notifications after GDPR

In this paper, we consider the problem of effective notifications of domain abuse or vulnerabilities to the domain owners, administrators, or webmasters. We have developed a scanner to test whether selected email aliases specified in RFC 2142 are correctly configured and whether notifications can be successfully delivered. We also test the reachability of email addresses collected from the DNS Start of Authority (SOA) records. Based on a measurement campaign of a large number of domains compared to the previous studies (4,602,907 domains), we show that domains are more reachable through SOA contacts. We find that the country-code TLD names are more reachable compared to the new gTLD names. We have also observed that the most used generic email alias is abuse (67.95%). Using regression analysis, we show the relationship between the reachability of email addresses and the fact that names are hosted on large shared platforms or have a significant value. Our results confirm that direct notification channels are currently not scalable, so we propose a scheme that preserves user privacy in compliance with GDPR and supports large-scale vulnerability notifications.