SCP Guest Lecture
Title: Vulnerability Discovery for All: A Human-Centric Approach to Software Vulnerability Discovery
Abstract: Software vulnerabilities persist as an important and costly challenge. Significant effort has been exerted toward automatic vulnerability discovery, but human intelligence generally remains required, and will remain necessary for the foreseeable future. Unfortunately, the pool of experts qualified to perform vulnerability discovery is small and homogeneous, leading to negative outcomes such as labor shortages and a lack of perspective diversity. In this talk, I will present the results of multiple studies investigating the humans at the center of vulnerability discovery. I will discuss the technical (e.g., the processes they follow to find vulnerabilities), along with the social (e.g., how they interact with others and navigate the bug bounty landscape) aspects of their work. From these results, I will lay out recommendations for developing more usable tooling, effective education, and more welcoming communities to make vulnerability discovery more approachable and inclusive.
Bio: Dr. Daniel Votipka is the Lin Family Assistant Professor in the Department of Computer Science at Tufts University. He received his PhD in Computer Science from the University of Maryland. His work focuses on understanding the processes and mental models of professionals who perform security-related tasks such as secure development, vulnerability discovery, network defense, and malware analysis to make security work more accessible and inclusive through improvements in automation, education, and policy. His work has been recognized with multiple best paper awards at top security and HCI venues and he was a recipient of the John Karat Usable Privacy and Security Student Research Award. Previously, he served in the US Air Force as a Cyber Warfare Officer assigned to the National Security Agency.