• We empirically validated that sender trust does have
a significant influence on success, contrasting previous
work [6]. It is not only vital that recipients trust a notifi-
cation message, but also that email providers distinguish
and discard truly unwanted spam and phishing emails.
• We identified a large gap between being aware of a
security problem and addressing it. The fraction of sites
that fixed a problem after learning about it differed per
group, ranging from about 33% of vulnerable WordPress
sites to 81% of sites with overly public Git folders. This
highlights that reaching out to affected parties is only
half of the battle, and the message itself is important
in convincing operators to take action. Moreover, future
work should investigate what level of technical detail is
required depending on the type of vulnerability being
reported.
We hope that future research such as those outlined in
Section VII can address some of these challenges to pave the
way to more successful security notifications.
ACKNOWLEDGEMENTS
We would like to thank the anonymous reviewers for
their valuable feedback. This work was supported by the
German Federal Ministry of Education and Research (BMBF)
through funding for the Center for IT-Security, Privacy and Ac-
countability (CISPA) (FKZ: 16KIS0345, 16KIS0656) and the
CISPA-Stanford Center for Cybersecurity (FKZ: 13N1S0762),
as well as the National Science Foundation awards CNS-
1237265 and CNS-1518921.
REFERENCES
[1] https://github.com/ben-stock/notification-ndss2018.
[2] “WordPress codex version 3.7,” online, https://codex.
wordpress.org/Version 3.7.
[3] N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger,
M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Hal-
derman, V. Dukhovni, E. Kasper, S. Cohney, S. Engels,
C. Paar, and Y. Shavitt, “DROWN: Breaking TLS Using
SSLv2,” in USENIX Security Symposium, 2016.
[4] M. Balduzzi, C. T. Gimenez, D. Balzarotti, and E. Kirda,
“Automated discovery of parameter pollution vulnerabil-
ities in web applications,” in Proceedings of the Network
and Distributed System Security Symposium, 2011.
[5] D. Canali, D. Balzarotti, and A. Francillon, “The role of
web hosting providers in detecting compromised web-
sites,” in International World Wide Web Conference,
2013.
[6] O. Cetin, M. H. Jhaveri, C. Gan
´
an, M. van Eeten, and
T. Moore, “Understanding the role of sender reputation
in abuse reporting and cleanup,” in Workshop on the
Economy of Information Security, 2015.
[7] O. Cetin, C. Gan
´
an, M. Korczynski, and M. van Eeten,
“Make notifications great again: Learning how to notify
in the age of large-scale vulnerability scanning,” in Work-
shop on the Economy of Information Security, 2017.
[8] D. Crocker, “Mailbox Names for Common Services,
Roles and Functions,” RFC 2142 (Proposed Standard),
RFC Editor, Fremont, CA, USA, pp. 1–6, May
1997. [Online]. Available: https://www.rfc-editor.org/rfc/
rfc2142.txt
[9] J. Czyz, M. J. Luckie, M. Allman, and M. Bailey, “Don’t
forget to lock the back door! A characterization of IPv6
network security policy.” in NDSS, 2016.
[10] A. Doup
´
e, B. Boe, C. Kruegel, and G. Vigna, “Fear the
EAR: Discovering and mitigating execution after redirect
vulnerabilities,” in ACM CCS, 2011.
[11] Drupal Security Team, “Public service announcement
psa-2014-003.” [Online]. Available: https://www.drupal.
org/PSA-2014-003
[12] Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman,
“Analysis of the HTTPS certificate ecosystem,” in ACM
Internet Measurement Conference, 2013.
[13] Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman,
M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey,
and J. A. Halderman, “The matter of Heartbleed,” in ACM
Internet Measurement Conference, 2014.
[14] M. Finifter, D. Akhawe, and D. Wagner, “An empirical
study of vulnerability rewards programs,” in USENIX
Security Symposium, 2013.
[15] Google, “Choose whether to show images,” online, https:
//support.google.com/mail/answer/145919.
[16] S. Holm, “A simple sequentially rejective multiple test
procedure,” Scandinavian Journal of Statistics, pp. 65–
70, 1979.
[17] M. K
¨
uhrer, T. Hupperich, C. Rossow, and T. Holz, “Exit
from hell? Reducing the impact of amplification DDoS
attacks,” in USENIX Security Symposium, 2014.
[18] S. Lekies, B. Stock, and M. Johns, “25 million flows later:
Large-scale detection of DOM-based XSS,” in ACM CCS,
2013.
[19] F. Li, Z. Durumeric, J. Czyz, M. Karami, D. McCoy,
S. Savage, M. Bailey, and V. Paxson, “You’ve got vulner-
ability: Exploring effective vulnerability notifications,” in
USENIX Security Symposium, 2016.
[20] F. Li, G. Ho, E. Kuan, Y. Niu, L. Ballard, K. Thomas,
E. Bursztein, and V. Paxson, “Remedying web hijack-
ing: Notification effectiveness and webmaster compre-
hension,” in International World Wide Web Conference,
2016.
[21] A. Nappa, M. Z. Rafique, and J. Caballero, “Driving in
the cloud: An analysis of drive-by download operations
and abuse reporting,” in DIMVA, 2013.
[22] A. Newton, B. Ellacott, and N. Kong, “HTTP Usage
in the Registration Data Access Protocol (RDAP),”
RFC 7480 (Proposed Standard), RFC Editor, Fremont,
CA, USA, pp. 1–16, Mar. 2015. [Online]. Available:
https://www.rfc-editor.org/rfc/rfc7480.txt
[23] B. Ramsdell and S. Turner, “Secure/Multipurpose
Internet Mail Extensions (S/MIME) Version 3.2 Message
Specification,” RFC 5751 (Proposed Standard), RFC
Editor, Fremont, CA, USA, pp. 1–45, Jan. 2010. [Online].
Available: https://www.rfc-editor.org/rfc/rfc5751.txt
[24] P. Resnick, “Internet Message Format,” RFC 2822
(Proposed Standard), RFC Editor, Fremont, CA, USA,
pp. 1–51, Apr. 2001, obsoleted by RFC 5322, updated
by RFCs 5335, 5336. [Online]. Available: https:
//www.rfc-editor.org/rfc/rfc2822.txt
[25] B. Stock, G. Pellegrino, C. Rossow, M. Johns, and
M. Backes, “Hey, you have a problem: On the feasibility
of large-scale web vulnerability notification,” in USENIX
Security Symposium, 2016.
[26] M. Vasek and T. Moore, “Do malware reports expedite
15