T.H. Chen (Ting-Han)

I'm 陳亭翰 (Chen, Ting-Han) from 台灣 Taiwan.
Feel free to call me by my first name, 亭翰 (Ting-Han) 🔊

I started as a PhD candidate in the Design and Analysis of Communication Systems (DACS) group at the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) at the University of Twente in April 2022. My research is part of INTERSCT, the biggest cybersecurity project in the Netherlands.

Before my position in the Netherlands, I obtained an Electrical Engineering Bachelor’s Degree and a Computer and Communication Engineering Master's Degree from National Cheng Kung University (NCKU) in Taiwan, with an exchange program at RWTH Aachen University in Germany. In addition, I worked at Taiwan Semiconductor Manufacturing Company (TSMC) as a DevOps engineer.

We have seen IoT devices everywhere; however, is it safe to use them? To sort this out, I focus on finding IoT vulnerabilities, performing vulnerability disclosure, and notifying users in a scalable way. The goal is to develop scalable vulnerability disclosure notifications to enhance the security of IoT. For more details about my work, please check the Research tab.

Expertise

• Computer Science

  • Internet-Of-Things
  • Relationships
  • Signal Strength
  • User
  • Vulnerability Disclosure
  • Correlation
  • Time Information
  • Wearable Device

Organisations

My PhD project is "Scalable IoT vulnerability testing and notification."

Keywords: Cybersecurity, Internet of Things, Vulnerability Disclosure, Vulnerability Notification, Network Scanning, Fingerprinting

Nowadays, various IoT devices have flooded the market, but have revealed security concerns. My goal is to identify vulnerabilities or security issues, disclose findings to vendors, and notify end-users. Informing stakeholders, especially end-users, will be a challenge. There may be multi-party involvement and limited access to reach the affected parties. Ultimately, the project aims to investigate and implement scalable methods for identifying vulnerable systems and prompting stakeholders to take timely action. Thus, improving the security of the Internet.

My recent work focuses on distinguishing and improving the best practices for vulnerability disclosure and vulnerability notification:

Title: Vulnerability Disclosure or Notification? Best Practices for Reaching Stakeholders at Scale

Abstract:
Security researchers are interested in security vulnerabilities, but these security vulnerabilities create risks for stakeholders. Coordinated Vulnerability Disclosure has been an accepted best practice for many years in disclosing newly discovered vulnerabilities. This practice has mostly worked, but it can become challenging when there are many different parties involved.
There has also been research into known vulnerabilities, using datasets or active scans to discover how many machines are still vulnerable. The ethical guidelines suggest that researchers also make an effort to notify the owners of these machines. We identify that this differs from vulnerability disclosure, but rather the practice of vulnerability notification. This practice has some similarities with vulnerability disclosure but should be distinguished from it, providing other challenges and requiring a different approach.
Based on our earlier disclosure experience and on prior work documenting their disclosure and notification operations, we provide a meta-review on vulnerability disclosure and notification to observe the shifts in strategies in recent years. We assess how researchers initiated their messaging and examine the outcomes. We then compile the best practices for the existing disclosure guidelines and for notification operations.

Link to our Arxiv version:
https://arxiv.org/abs/2506.14323

Publications

Research profiles

Address

University of Twente

Zilverling (building no. 11), room 5110
Hallenweg 19
7522 NH Enschede
Netherlands

Navigate to location

Organisations

Additional contact information

Status: 🟢
If I'm on leave, I update my status and time to return here