Disclosing security flaws could damage white hat hackers’ creativity, researcher urges

By Kuksung Nam, The Readable
Aug. 13, 2023 7:46AM GMT-7 Updated Aug. 17, 2023 4:23PM GMT+9

Las Vegas, NV ― Black Hat ― A security academic raised an important concern on Thursday, highlighting that an organization’s choice to publicly disclose resolved vulnerabilities might inadvertently hinder ethical hackers’ capacity to uncover previously unknown security weaknesses.

At the Black Hat conference, Ali Ahmed, an assistant professor in the Department of Information Systems at the College of Business, University of Wisconsin-Eau Claire, unveiled his ongoing research. This study delves into the intricate connection between bug bounty programs and the behaviors exhibited by white hat hackers participating in these initiatives.

Brian Lee, an assistant professor in the Department of Supply Chain and Information Systems at the Pennsylvania State University, and Amit Deokar, an associate Dean of Undergraduate Programs at the Manning School of Business, University of Massachusetts Lowell, participated in the research.

Ali Ahmed, an assistant professor in the Department of Information Systems at the College of Business, University of Wisconsin-Eau Claire, is presenting his ongoing research at the Black Hat conference on Thursday. Photo by Kuksung Nam, The Readable

Together with two colleagues, the professor embarked on an ambitious endeavor, collecting and meticulously analyzing 8,712 vulnerability reports that had been publicly disclosed by 368 different companies on HackerOne, an internationally renowned bug bounty platform. Bug bounties have emerged as a strategy for organizations to fortify their software security, offering financial incentives to individuals who unearth security vulnerabilities. This proactive approach helps organizations safeguard their systems from potential attackers.

According to their findings, the disclosed reports have a negative effect on hackers’ creativity, which is a crucial element in detecting security flaws. “If a firm discloses a lot, they are less likely to resolve a new bug in the next month or in the future,” said Ahmed. “It also showed that less hackers were able to be successful in finding new bugs.”

The expert introduced a psychological concept known as “fixation” to elucidate the rationale behind his findings, using the analogy of a hammer to drive home his point. Imagine someone who requires a paperweight encountering a hammer for the first time. Without knowledge of its intended function, they might repurpose the hammer as a paperweight. However, if they were aware of the hammer’s intended function, they would exclusively use it for its primary purpose, pounding nails.

“Similar phenomena happen in bug bounty programs,” said the professor. “Hackers’ minds are fixated on the prior examples. They go for the same techniques and methods in finding new bugs. So, disclosure can lead to fewer discoveries.”

During problem-solving, individuals often experience fixation, a cognitive bias that drives them to seek the simplest solution based on their past experiences. In essence, this means that hackers who possess extensive experience might actually be more susceptible to the effects of vulnerability reports, compared to those who are newcomers in the industry.

The expert also provided insights into ways organizations could effectively influence the behavior of hackers in a positive manner. “Psychology says that expansive examples lead to more creative output. If firms disclose critical vulnerabilities, that will lead to more discoveries in the future and more success for hackers,” said Ahmed. “If they want hackers to be successful in their program, they should be more critical about how and what they disclose.”

He also stressed that ethical hackers should be aware of fixation when they are looking into vulnerability reports. “They should get out of it. One strategy I found through this data is program switching. If hackers switch between programs a lot, it can’t create fixation,” the professor said.


The cover image of this article was designed by Areum Hwang.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.