Arwa Al Alsadi and Lorenz Kustosch, TU Delft; Lamya Alowain, Independent; Michel Van Eeten and Carlos H. Gañán, TU Delft
The cybersecurity landscape faces an escalating challenge as proof-of-concept (PoC) exploits transition from demonstrations to weaponized attacks within minutes of disclosure. While research has documented temporal dynamics and malicious deployment, a critical gap remains in understanding the human factors underlying PoC creation. Through semi-structured interviews with 16 PoC developers across diverse regions, we apply Expectancy-Value Theory to reveal PoC development as a complex motivational ecosystem where technical confidence, value assessments, and risk calculations intersect within dual-use tensions. We demonstrate that PoC development spans a continuum from crash demonstrations to weaponized exploits, shaped by multifaceted calculus rather than binary ethics. We identify three theoretical extensions: dual-use moral reasoning enabling responsibility externalization, dynamic value assessment where vendor behavior reshapes disclosure decisions, and identity navigation between ethical research and technical mastery. Vendor responsiveness, community dynamics, and legal constraints significantly influence disclosure strategies. PoC developers adopt risk-mitigation approaches when navigating tensions between security improvement and potential misuse, challenging binary conceptualizations of "responsible" versus "irresponsible" disclosure.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
