An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program

White hats are making significant contributions to cybersecurity by submitting vulnerability discovery reports to public vulnerability disclosure programs and company-initiated vulnerability reward programs. In this paper, we study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3254 white hats and their submitted 16446 Web vulnerability reports. Our dataset is collected from Wooyun, the predominant Web vulnerability disclosure program in China. We first show that Wooyun is continuously attracting new contributors from the white hat community. We then examine white hats' contributions along several dimensions. In particular, we provide evidence about the diversity inside Wooyun's white hat community and discuss the importance of this diversity for vulnerability discovery. Our results suggest that more participation, and thereby more diversity, contributes to higher productivity of the vulnerability discovery process.

[1]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[2]  Sandy Clark,et al.  Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities , 2010, ACSAC '10.

[3]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[4]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[5]  M. E. J. Newman,et al.  Power laws, Pareto distributions and Zipf's law , 2005 .

[6]  Jaziar Radianti,et al.  Eliciting Information on the Vulnerability Black Market from Interviews , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[7]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[8]  Sean Heelan Vulnerability Detection Systems: Think Cyborg, Not Robot , 2011, IEEE Security & Privacy.

[9]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[10]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[11]  Serge Egelman,et al.  Markets for zero-day exploits: ethics and implications , 2013, NSPW '13.

[12]  M. Newman Power laws, Pareto distributions and Zipf's law , 2005 .

[13]  P. Rousseeuw Silhouettes: a graphical aid to the interpretation and validation of cluster analysis , 1987 .

[14]  Alfred J. Lotka,et al.  The frequency distribution of scientific productivity , 1926 .

[15]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[16]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[17]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[18]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[19]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.