Vulnerability Discovery Interview Study

(Daniel) #1

Hi, my name is Daniel Votipka. I’m a researcher in the University of Maryland’s Computer Science Department. Dr. Michelle Mazurek and I are conducting an interview study examining how software testers and white-hat hackers look for security vulnerabilities. I wanted to reach out to you and see if anyone might be interested in participating.

For this study, we will conduct interviews asking about how you perform software vulnerability discovery tasks and how you have developed the necessary skills in this area. Further details about the study can be found at

The goal of our research is to understand how software testers and white-hat hackers think about and perform vulnerability discovery. We want to compare the groups, determine what strengths they bring to the table, and identify any challenges they face. Using our results, we will then develop improved training, tools, and policies that will help both groups perform this task better and in turn improve overall software security.

To be eligible for the study, the following requirements must be met:

  • Participants must have professional experience in software testing.
  • Participants must be 18 years or older.

Participation in this study will involve one 60-minute interview (in-person or video conference), and you will receive a $25 gift card for your time.

To be considered for participation, anyone can sign up at and complete a short (<5 min) demographic survey.

If you have any questions, comments, or concerns or you would just like to hear more about the research we’re doing, I’d be happy to talk further with you, so feel free to respond to this topic or email me at

(Jesper) #2

Could you elaborate on “vulnerability” in your context. It seems you have some already in mind… that is not “ordinary functional bugs”. Perhaps something along the lines of OWASP top 10?

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

(Daniel) #3

For this study, we consider a security vulnerability as anything that could be taken advantage of by a malicious party to perform some action that was not intended by the developer. The OWASP top 10 list is a good set of examples for web applications. Some other examples would be memory corruption bugs (e.g. buffer overflow, heap corruption), cryptographic errors (e.g. weak key usage), and incorrect calculation bugs (e.g. integer overflow, of-by-one errors). We are taking a general view for this study, so anything that might be used maliciously, we are considering as a security vulnerability.

(Daniel) #4

If anyone was considering participating in our study, but didn’t think you were qualified, we’ve opened up the restrictions a bit. We are no longer requiring that participants have previously found a security vulnerability. Are only criteria now are that you have professional experience in software testing and that you are over 18.

We’re still in need of more participants, so if you’re interested at all and are curious if you qualify, feel free to email me at