Keywords:  Security Engineering and Design,

2019

Hackers vs. Testers: Understanding Software Vulnerability Discovery Processes

Primal Wijesekera, Staff Research Scientist, International Computer Science Institute, UC Berkeley
Serge Egelman, Research Director, International Computer Science Institute, UC Berkeley
Noura Alomar, PhD Student, International Computer Science Institute, UC Berkeley
Amit Elazari, Lecturer/Director, School of Information, UC Berkeley|Intel

Security vulnerabilities pose a grave danger to the integrity of any system because they can undermine almost any protection mechanism or safeguard. As such, finding vulnerabilities before the software gets deployed is a critical task in any current software development cycle. A vital tool has recently emerged in the arsenal of defenders: white-hat hackers (bug hunters) discovering vulnerabilities through bug-bounty programs. White-hat hackers, however, haven't received the attention they deserve from the security research community. Bug hunting is still portrayed as an ad-hoc process with very minimal empirical evidence showing why bug hunters are successful or how they are different from traditional software testers.

Our goal is to fill that knowledge gap and correctly understand white-hat hackers (bug hunters). We hypothesize that there are concrete differences between white-hat hackers and traditional software testers and penetration testers: how the different groups approach the same problem and their mentalities towards finding vulnerabilities in the code. White-hat hackers have proven to be a significant tool for increasing security in deployed systems by finding a variety of hidden bugs that would have otherwise been used by malicious actors. We believe that, as a research community, we need to uncover the reasons for that success scientifically. Understanding their approaches could help developers write more secure code, reducing the probability of introducing a vulnerability in the software and making software testing more efficient.