Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery

—Vulnerability discovery is an essential aspect of software security. Currently, the demand for security experts significantly exceeds the available vulnerability discovery workforce. Further, the existing vulnerability discovery workforce is highly homogeneous, dominated by white and Asian men. As such, one promising avenue for increasing the capacity of the vulnerability discovery community is through recruitment and retention from a broader population. Although significant prior research has explored the challenges of equity and inclusion in computing broadly, the competitive and frequently self-taught nature of vulnerability discovery work may create new variations on these challenges. This paper reports on a semi-structured interview study (N = 16) investigating how people from marginalized populations come to participate in vulnerability discovery, whether they feel welcomed by the vulnerability discovery community, and what challenges they face when joining the vulnerability discovery community. We find that members of marginalized populations face some unique challenges, while other challenges common in vulnerability discovery are exacerbated by marginalization.

[1]  Kivanç Muslu,et al.  Microsoft CloudMine: Data Mining for the Executive Order on Improving the Nation's Cybersecurity , 2022, 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR).

[2]  Max Mühlhäuser,et al.  Who are Vulnerability Reporters?: A Large-scale Empirical Study on FLOSS , 2021, ESEM.

[3]  Michelle L. Mazurek,et al.  An Investigation of Online Reverse Engineering Community Discussions in the Context of Ghidra , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Michelle L. Mazurek,et al.  HackEd: A Pedagogical Analysis of Online Vulnerability Discovery Exercises , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[5]  Sean A. Munson,et al.  Embracing Four Tensions in Human-Computer Interaction Research with Marginalized People , 2021, ACM Trans. Comput. Hum. Interact..

[6]  Kiran Sridhar,et al.  Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties , 2021, J. Cybersecur..

[7]  Daryl G. Smith Diversity's Promise for Higher Education: Making It Work , 2020 .

[8]  Jeffrey S. Foster,et al.  An Observational Investigation of Reverse Engineers' Processes , 2019, USENIX Security Symposium.

[9]  Jukka Ruohonen,et al.  A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities , 2018, ArXiv.

[10]  Elissa M. Redmiles,et al.  Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[11]  Nadya A. Fouad,et al.  SCCT and Underrepresented Populations in STEM Fields , 2017 .

[12]  Leif Singer,et al.  How Social and Communication Channels Shape and Challenge a Participatory Culture in Software Development , 2017, IEEE Transactions on Software Engineering.

[13]  ชวิตรา ตันติมาลา Constructing Grounded Theory: A Practical Guide through Qualitative Analysis , 2017 .

[14]  Zachary N. J. Peterson,et al.  The Outcomes of Cybersecurity Competitions and Implications for Underrepresented Populations , 2016, IEEE Security & Privacy.

[15]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[16]  Brian Alleyne,et al.  Inside the mind of a hacker - FT World - World & Global Economy Video - FT.com , 2016 .

[17]  A. Meltzoff,et al.  Cultural stereotypes as gatekeepers: increasing girls’ interest in computer science and engineering by diversifying stereotypes , 2015, Front. Psychol..

[18]  Lisa Y. Flores,et al.  Testing a longitudinal social cognitive model of intended persistence with engineering students across gender and race/ethnicity , 2014 .

[19]  Diana L. Burley,et al.  Engaging learners in cybersecurity careers: lessons from the launch of the national cyber league , 2014, INROADS.

[20]  R. Singh,et al.  Stemming the tide: Predicting women engineers' intentions to leave ☆ , 2013 .

[21]  Diana Bilimoria,et al.  Why they stay: women persisting in US engineering careers , 2013 .

[22]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[23]  Colleen M. Lewis,et al.  Deciding to major in computer science: a grounded theory of students' self-assessment of ability , 2011, ICER.

[24]  Sapna Cheryan,et al.  Do Female and Male Role Models Who Embody STEM Stereotypes Hinder Women’s Anticipated Success in STEM? , 2011 .

[25]  Brigid Barron Conceptualizing and Tracing Learning Pathways over Time and Setting , 2010, Teachers College Record: The Voice of Scholarship in Education.

[26]  C. Steele,et al.  Ambient belonging: how stereotypical cues impact gender participation in computer science. , 2009, Journal of personality and social psychology.

[27]  A. J. Ko,et al.  Attitudes and self-efficacy in young adults' computing autobiographies , 2009, 2009 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[28]  Lisa Y. Flores,et al.  Mexican American High School Students' Postsecondary Educational Goals , 2008 .

[29]  Cindy E. Foor,et al.  “I Wish that I Belonged More in this Whole Engineering Group:” Achieving Individual Diversity , 2007 .

[30]  E. Brink,et al.  Constructing grounded theory : A practical guide through qualitative analysis , 2006 .

[31]  Lecia Jane Barker,et al.  Communication in computer science classrooms: understanding defensive climates as a means of creating supportive behaviors , 2004, JERC.

[32]  Michele H. Jackson,et al.  Defensive climate in the computer science classroom , 2002, SIGCSE '02.

[33]  Allan Fisher,et al.  Unlocking the Clubhouse : Women in Computing by Allan Fisher , 2015 .

[34]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[35]  Steven D. Brown,et al.  Toward a Unifying Social Cognitive Theory of Career and Academic Interest, Choice, and Performance , 1994 .

[36]  A. Bandura Human agency in social cognitive theory. , 1989, The American psychologist.

[37]  Suzanne K. Damarin,et al.  The second self: Computers and the human spirit , 1985 .

[38]  Nancy E. Betz,et al.  The Relationship of Career-Related Self-Efficacy Expectations to Perceived Career Options in College Women and Men. , 1981 .

[39]  R. Ellis,et al.  Bounty Everything: Hackers and the Making of the Global Bug Marketplace , 2022, SSRN Electronic Journal.

[40]  Aron Laszka,et al.  The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs , 2020 .

[41]  Niklas Mellegård,et al.  What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping Study , 2019, STAST.

[42]  Lelyn D. Saner,et al.  Assessing Aptitude and Talent for Cyber Operations , 2016 .

[43]  Aron Laszka,et al.  Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs , 2016 .

[44]  Michael Siegel,et al.  Poster: Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs , 2016 .

[45]  David H. Tobey,et al.  An Argument for Game Balance: Improving Student Engagement by Matching Difficulty Level with Learner Readiness , 2014, 3GSE.

[46]  Lisa Y. Flores,et al.  Academic satisfaction among Latino/a and White men and women engineering students. , 2014, Journal of counseling psychology.

[47]  R. Estrella,et al.  Stuck in the Shallow End Education , Race , and Computing , 2008 .

[48]  Linda C. Schmidt,et al.  Social Cognitive Predictors of Academic Interests and Goals in Engineering: Utility for Women and Students at Historically Black Universities. , 2005 .

[49]  G. Guest,et al.  How Many Interviews Are Enough? An Experiment with Data Saturation and Variability , 2005 .

[50]  Allan Fisher,et al.  Caring about connections: gender and computing , 1999, IEEE Technol. Soc. Mag..

[51]  E. Seymour,et al.  Talking About Leaving: Why Undergraduates Leave The Sciences , 1997 .