Security

Research Examines Role of White Hat Hacker Community

• By Dian Schaffhauser
• 01/22/15

A research project out of Penn State suggests that companies that reward hackers who uncover vulnerabilities in their systems could improve the discovery process by expanding and adding diversity to their white hat communities.

The research to understand how the white hat "market" functions was undertaken by Jens Grossklags, an assistant professor at Penn State's College of Information Sciences and Technology; Mingyi Zhao, a doctoral student at the college; and Kai Chen, a postdoctoral scholar currently at the Chinese Academy of Sciences.

"An Exploratory Study of White Behaviors in a Web Vulnerability Disclosure Program" used a dataset from WooYun.org, the "predominant" Web vulnerability disclosure program in China. The data encompassed contributions filed since the site's launch in 2010 from 3,254 white hat hackers from around the world and the 16,446 vulnerability reports they filed about 4,269 Web sites.

WooYun follows a process similar to other such community sites. Those who submit reports to WooYun receive no compensation. Once WooYun checks out the severity of a report, it informs the administrators of the affected site and gives them two months to fix it. Only after the fix is made will WooYun disclose the vulnerability.

According to the WooYun site, a "white hat" is a person with "great interests in network security, who were born with natural curiosities about how stuff works, who are willing to contribute their techniques to the common techniques, and who are pleased to give a helpful hand to others."

The researchers found that the top contributors to Wooyun posted only a fraction of all vulnerability reports to the site and that less active hackers also contributed high-quality vulnerability reports. Their conclusion: that the community as a whole, rather than a few expert white hats, plays a key role for vulnerability discovery.

This finding could influence how major Web companies — Google, Facebook and others — handle their own white hat operations. Currently, these operators often use a "vulnerability award program" (VRP) or "bug bounties" to encourage the white hat community to uncover potential problems in their software. They also use the services of crowdsourcing companies such as HackerOne and BugCrowd, which act as liaisons between white hats and software companies.

Based on preliminary results of the WooYun research, Grossklags, Zhao and Chen suggest that managers of company vulnerability programs "should not only focus on the top contributors, but also try to attract as many white hats as possible as contributors. More participation would likely translate [into] more diversity during the search process and more discoveries."

Undertaking that, however, may require new mechanisms for working with white hats, such as a program with a search tool that could help reduce the likelihood that contributors would report on the same vulnerability and the disclosure of more technical details of past vulnerabilities, "so that white hats can learn from others' findings." As the researchers pointed out in their report, "Wooyun's full disclosure model, which allows the reading of the white hats' comments in the vulnerability reports, likely helps new and even experienced white hats to learn."