"You've Got Your Nice List of Bugs, Now What?" Vulnerability Discovery and Management Processes in the Wild


Noura Alomar, University of California, Berkeley; Primal Wijesekera, University of California, Berkeley, and International Computer Science Institute (ICSI); Edward Qiu, University of California, Berkeley; Serge Egelman, University of California, Berkeley, and International Computer Science Institute (ICSI)


Organizational security teams have begun to specialize, and as a result, the existence of red, blue, and purple teams have been used as signals for an organization's security maturity. There is also now a rise in the use of third-party contractors who offer services such as incident response or penetration testing. Additionally, bug bounty programs are not only gaining popularity, but also are perceived as cost-effective replacements for internal security teams. Due to the many strategies to secure organizations, determining which strategy is best suited for a given situation may be a difficult task. To understand how these varying strategies are applied in practice and to understand non-technical challenges faced by professionals, we conducted 53 interviews with security practitioners in technical and managerial roles tasked with vulnerability discovery or management. We found that organizations often struggle with vulnerability remediation and that vulnerability discovery efforts are hindered by significant trust, communication, funding, and staffing issues. Based on our findings, we offer recommendations for how organizations can better apply these strategies.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Video