An exploratory study of white hat behaviors in a web vulnerability disclosure program

Mingyi Zhao; Jens Grossklags; Kai Chen

doi:10.1145/2663887.2663906

An exploratory study of white hat behaviors in a web vulnerability disclosure program

Mingyi Zhao, Jens Grossklags, Kai Chen

Penn State University Park

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

24 Scopus citations

Abstract

White hats are making significant contributions to cybersecurity by submitting vulnerability discovery reports to public vulnerability disclosure programs and company-initiated vulnerability reward programs. In this paper, we study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3254 white hats and their submitted 16446 Web vulnerability reports. Our dataset is collected from Wooyun, the predominant Web vulnerability disclosure program in China. We first show that Wooyun is continuously attracting new contributors from the white hat community. We then examine white hats' contributions along several dimensions. In particular, we provide evidence about the diversity inside Wooyun's white hat community and discuss the importance of this diversity for vulnerability discovery. Our results suggest that more participation, and thereby more diversity, contributes to higher productivity of the vulnerability discovery process.

Original language	English (US)
Title of host publication	SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014
Publisher	Association for Computing Machinery
Pages	51-58
Number of pages	8
Edition	November
ISBN (Print)	9781450331524
DOIs	https://doi.org/10.1145/2663887.2663906
State	Published - Nov 7 2014
Event	2014 ACM Workshop on Security Information Workers, SIW 2014 - Co-located with CCS 2014 - Scottsdale, United States Duration: Nov 7 2014 → …

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
Number	November
Volume	2014-November
ISSN (Print)	1543-7221

Conference

Conference	2014 ACM Workshop on Security Information Workers, SIW 2014 - Co-located with CCS 2014
Country/Territory	United States
City	Scottsdale
Period	11/7/14 → …

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Access to Document

10.1145/2663887.2663906

Cite this

Zhao, M., Grossklags, J., & Chen, K. (2014). An exploratory study of white hat behaviors in a web vulnerability disclosure program. In SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014 (November ed., pp. 51-58). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2014-November, No. November). Association for Computing Machinery. https://doi.org/10.1145/2663887.2663906

Zhao, Mingyi ; Grossklags, Jens ; Chen, Kai. / An exploratory study of white hat behaviors in a web vulnerability disclosure program. SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014. November. ed. Association for Computing Machinery, 2014. pp. 51-58 (Proceedings of the ACM Conference on Computer and Communications Security; November).

@inproceedings{7cc6021589204f8a8093b12efc0dba38,

title = "An exploratory study of white hat behaviors in a web vulnerability disclosure program",

abstract = "White hats are making significant contributions to cybersecurity by submitting vulnerability discovery reports to public vulnerability disclosure programs and company-initiated vulnerability reward programs. In this paper, we study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3254 white hats and their submitted 16446 Web vulnerability reports. Our dataset is collected from Wooyun, the predominant Web vulnerability disclosure program in China. We first show that Wooyun is continuously attracting new contributors from the white hat community. We then examine white hats' contributions along several dimensions. In particular, we provide evidence about the diversity inside Wooyun's white hat community and discuss the importance of this diversity for vulnerability discovery. Our results suggest that more participation, and thereby more diversity, contributes to higher productivity of the vulnerability discovery process.",

author = "Mingyi Zhao and Jens Grossklags and Kai Chen",

note = "Publisher Copyright: Copyright {\textcopyright} 2014 by the Association for Computing Machinery, Inc. (ACM).; 2014 ACM Workshop on Security Information Workers, SIW 2014 - Co-located with CCS 2014 ; Conference date: 07-11-2014",

year = "2014",

month = nov,

day = "7",

doi = "10.1145/2663887.2663906",

language = "English (US)",

isbn = "9781450331524",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

number = "November",

pages = "51--58",

booktitle = "SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014",

edition = "November",

}

Zhao, M, Grossklags, J & Chen, K 2014, An exploratory study of white hat behaviors in a web vulnerability disclosure program. in SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014. November edn, Proceedings of the ACM Conference on Computer and Communications Security, no. November, vol. 2014-November, Association for Computing Machinery, pp. 51-58, 2014 ACM Workshop on Security Information Workers, SIW 2014 - Co-located with CCS 2014, Scottsdale, United States, 11/7/14. https://doi.org/10.1145/2663887.2663906

An exploratory study of white hat behaviors in a web vulnerability disclosure program. / Zhao, Mingyi; Grossklags, Jens; Chen, Kai.

SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014. November. ed. Association for Computing Machinery, 2014. p. 51-58 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2014-November, No. November).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - An exploratory study of white hat behaviors in a web vulnerability disclosure program

AU - Zhao, Mingyi

AU - Grossklags, Jens

AU - Chen, Kai

PY - 2014/11/7

Y1 - 2014/11/7

N2 - White hats are making significant contributions to cybersecurity by submitting vulnerability discovery reports to public vulnerability disclosure programs and company-initiated vulnerability reward programs. In this paper, we study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3254 white hats and their submitted 16446 Web vulnerability reports. Our dataset is collected from Wooyun, the predominant Web vulnerability disclosure program in China. We first show that Wooyun is continuously attracting new contributors from the white hat community. We then examine white hats' contributions along several dimensions. In particular, we provide evidence about the diversity inside Wooyun's white hat community and discuss the importance of this diversity for vulnerability discovery. Our results suggest that more participation, and thereby more diversity, contributes to higher productivity of the vulnerability discovery process.

AB - White hats are making significant contributions to cybersecurity by submitting vulnerability discovery reports to public vulnerability disclosure programs and company-initiated vulnerability reward programs. In this paper, we study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3254 white hats and their submitted 16446 Web vulnerability reports. Our dataset is collected from Wooyun, the predominant Web vulnerability disclosure program in China. We first show that Wooyun is continuously attracting new contributors from the white hat community. We then examine white hats' contributions along several dimensions. In particular, we provide evidence about the diversity inside Wooyun's white hat community and discuss the importance of this diversity for vulnerability discovery. Our results suggest that more participation, and thereby more diversity, contributes to higher productivity of the vulnerability discovery process.

UR - http://www.scopus.com/inward/record.url?scp=84937677217&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84937677217&partnerID=8YFLogxK

U2 - 10.1145/2663887.2663906

DO - 10.1145/2663887.2663906

M3 - Conference contribution

AN - SCOPUS:84937677217

SN - 9781450331524

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 51

EP - 58

BT - SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014

PB - Association for Computing Machinery

T2 - 2014 ACM Workshop on Security Information Workers, SIW 2014 - Co-located with CCS 2014

Y2 - 7 November 2014

ER -

Zhao M, Grossklags J, Chen K. An exploratory study of white hat behaviors in a web vulnerability disclosure program. In SIW 2014 - Proceedings of the 2014 ACM Workshop on Security Information Workers, Co-located with CCS 2014. November ed. Association for Computing Machinery. 2014. p. 51-58. (Proceedings of the ACM Conference on Computer and Communications Security; November). https://doi.org/10.1145/2663887.2663906

An exploratory study of white hat behaviors in a web vulnerability disclosure program

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this