Didn’t You Hear Me? — Towards More Successful

Web Vulnerability Notifications

Ben Stock

∗

, Giancarlo Pellegrino

∗‡

, Frank Li

†

, Michael Backes

∗

, and Christian Rossow

UC Berkeley

Abstract—After treating the notification of vulnerable par-

ties as mere side-notes in research, the security community

has recently put more focus on how to conduct vulnerability

disclosure at scale. The first works in this area have shown

human aspects are roadblocks to a successful campaign. As part

of this experiment, we explored potential alternative notification

channels beyond email, including social media and phone. In

addition, we conducted an anonymous survey with the notified

operators, investigating their perspectives on our notifications.

We show the pitfalls of email-based communications, such as

the impact of anti-spam filters, the lack of trust by recipients,

and the hesitation in fixing vulnerabilities despite awareness.

However, our exploration of alternative communication channels

did not suggest a more promising medium. Seeing these results,

a large number of vulnerable Web sites. In addition, insecure

configurations may allow attackers to exploit systems, such as

retrieving sensitive data like cryptographic key material [3].

For researchers and attackers alike, detection of such issues

is often fairly straightforward: given a seed list of domains or

hosts, they can efficiently scan for existing security issues.

Considering the relative ease by which miscreants can

identify and exploit vulnerable systems, it is vital to quickly

and effectively inform affected parties. For example, the Dru-

pageddon flaw in 2014 [11] allowed attackers to backdoor

How to properly perform such notification is non-trivial,

independently studied how vulnerability notifications can be

conducted at scale, i.e., for a large number of vulnerable Web

sites and network services. Our results show that such large-

scale notifications have promise in spurring remediation, but

currently to an unsatisfactory degree. Both studies identified

that a roadblock to success was the reachability of correct

contacts. By tracking which administrators viewed detailed

technical vulnerability reports, the studies also found another

challenge: even after viewing such reports, a large fraction of

administrators still did not take corrective steps.

We continue this line of research and aim to better un-

state is caused solely by mail servers which mark emails as

spam, or if the reason is non-technical, i.e., caused by admin-

istrators who do not follow up on the provided information.

To achieve this goal, we conducted an automated large-scale

notification for two types of Web vulnerabilities using different

types and formats of notification emails.

Although emails are a convenient way of disseminating

vulnerability information at scale, it is unclear how they com-

pare with other channels, which cannot be as easily automated

as email sending. To that end, we investigate the feasibility

tions, it is also important to understand how the users perceive

notifications, e.g., whether they discard the messages due to a

lack of trust. To understand more about the administrators’

perspectives, we conducted an anonymous survey with the

site owners we previously notified about security issues, and

summarize the most important insights from their feedback.

Since the field of vulnerability notification at scale is still

in its infancy, our work not only aims at tackling the previously

described research questions, but also identifies areas in which

further research should be conducted to improve the quality

Contributions and Outline

To summarize, our paper makes the following contributions:

• After presenting our methodology in Section II, we report

on the results of an automated notification campaign for

more than 24,000 domains, affected by two distinctly

different types of vulnerabilities (Section III).

• With the data gathered from the notification campaign, in

Section IV we analyze in-depth the technical and human

aspects of a notification campaign, and provide insights

into parameters for the success of such a campaign.

and highlight ways of improving the notification process.

• Finally, based on our study as well as the prior work, we

outline directions for promising research to ensure that

vulnerability notifications can become more effective in

the future (Section VII).

II. METHODOLOGY

The goal of our study is to illuminate what factors may

influence the success of large-scale notifications on security

issues. To accomplish this, we conducted controlled multi-

variate notification experiments. In this section, we present

distributed an anonymous survey to notified contacts to gain

insight on the characteristics of respondents, their views on our

notifications, and shortcomings in our process. For additional

data, such as the notification messages and survey we used,

please see our GitHub repository [1].

A. Targeted Security Issues

Similar to our prior work [25], we focused on security

issues on Web sites that could be easily detected without

interfering with normal server operations. Our first two security

issues were recent (at the time of the experiments) cross-

webmasters merely needed to update WordPress to the latest

version in their currently used branch. We refer to the data set

collected for these Web sites as WP throughout the paper.

Our other security issue was publicly accessible Git repos-

itories. Since Git is a distributed versioning system, every

machine that has checked out a repository has a copy of its

complete history. By default, Git stores both configurations and

the actual repository data in the .git directory. If publicly

and inspect the source code, potentially uncovering hardcoded

secrets such as database logins, API credentials, and crypto-

graphic keys. To detect if a site contained such a repository

in its public Web directory, we checked for access to the

file .git/config. Some Web sites may have intentionally

exposed a repository as public. To avoid notifying those

webmasters, we inspected the .git/refs/heads/master

Generic Email Addresses — Generic email addresses are

standardized email usernames to be used when contacting

personnel of an organization, as defined in RFC 2142 [8].

Amongst these, we selected security or administrator oriented

additionally included info@ in hopes of potentially reaching

a front office for the organizations we contacted.

contacts who did not take action remained in an unknown

whether the message was not received by an appropriate party,

or instead ignored. To better understand whether recipients

However, if the resource request arrived from a blacklisted set

of IP address associated with anti-virus and other services that

scan URLs in emails in transit, we do not factor that request

Friendly (Friendly): We selected to establish first contact

with a friendlier non-technical message, excluding any links

and detailed information about the security issues. Instead, we

informed the recipient that we had discovered a security issue,

asking them to provide an email address in charge of handling

such reports. We also added our institution’s default email

signature with contact details to allow for recipients to vet us as

a sender (see our GitHub repository [1]). When we received

the correct point of contact, we manually sent the complete

report information, as accessible via our Web interface.

message types, we collected the following measurements:

detected as affected by a security issue, and determined if and

when the site remediated. Our monitoring system checked for

the security issue using the same method as used for detection,

visiting each site daily. Temporary network and server outages

can result in incorrect detection of remediation. Thus, after first

3

for the following seven days and consider the domain fixed on

that date if it did not appear affected again.

Report Access — Our notification recipients could access a

detailed technical report on the security issue by either replying

to our email messages or accessing our Web interface (with the

secret token). For each domain, we recorded if and when we

observed an email response or Web site visit with its associated

token. For the Friendly group, our initial message did not

include detailed information about the security issues or any

monitored for retrievals of our image resources, unique to each

recipient (without logging IP addresses or other identifiers).

Experiment Parameters — On January 30th, 2017, we

checked the Alexa Top 1M for the presence of one of the

outlined security issues. We then randomly assigned the sites

into seven groups as shown in Table I: one for each email

variant and an unnotified control group. All groups except

for Friendly contained approximately 4,000 domains in total.

As manual interaction was required for recipients of Friendly

messages, we limited the number of domains in this group

removed. The notification campaign started on February 3rd,

2017 and lasted six weeks. We sent two reminders on February

17th and on March 3rd.

C. Manual Notification Experiments

Automated email disclosures may be tenable, but may not

be the most effective method of notification. Prior work [19,

25] observed that a significant fraction of notified contacts

exhibited no responses. To explore alternative notification

options, we followed up our email notifications with five dif-

ferent forms of manual notifications, including communication

phone numbers, and postal addresses listed on affected Web

sites, and submitted “contact us” web forms. We also searched

the sites for links to their social media accounts on Twitter

and Facebook. We describe the method behind our manual

notifications in more detail in Section V. We collected the

same measurements as with the automated email notifications.

sent in prior studies [13, 19] to notification recipients, which

focused on the acceptability of the notifications. In our survey,

we additionally aim to understand the demographics of our re-

cipients, their prior experiences with security notifications and

reports, reasons behind the observed remediation behaviors,

and suggestions for improvements to our notification process.

The details of our survey are described in Section VI.

E. Ethical Considerations

We note that our primary institution does not provide an

IRB nor mandate (or enable) approval for such experiments.

not interfere with normal server operations. We respected any

opt-out requests and extensively tested our detection methods

prior to their deployments.

The ethics of performing security notifications themselves

are not fully settled, although a number of prior notification

studies [6, 13, 17, 19, 25] have set a precedence for acceptable

notifications. In particular, surveys in two prior studies [13, 19]

documented the acceptability and helpfulness of these no-

tifications in the eyes of message recipients. We likewise

believe that the potential good from informing vulnerable hosts

organizations, which followed best practices, e.g., it was fully

anonymous and optional. We note that we only collected data

on organization decisions and not individuals, thus our study

does not constitute human subjects research.

However, we employed safeguards to ensure that no private

information was collected. We did not log IP addresses or

any identifiers for any resource requests except for the random

token unique to each recipient. This only allowed us to learn

if that recipient or domain performed a specific action (visited

about the recipient. We only report aggregate results from this

monitoring, without ever revealing the outcome for a particular

domain or recipient. We believe the insights we can gain from

speculate that those sites that did not automatically or quickly

manually update to a new version yet (which implicitly fixed

our targeted XSS vulnerabilities) perhaps were less actively

maintained (if at all), reducing the likelihood that our outreach

VULNERABILITY BY MARCH 17TH, 2017

the control group and the notified groups. After two weeks,

an additional 7% of the notified groups had fixed on aver-

age, compared to the control group. After four weeks, this

improvement rose to 11% of the notified population, indicating

our first reminder messages spurred further viewed reports and

fixed sites. However, no further improvements occurred after

the second reminder message. This behavior contrasts slightly

with the re-notification results by Li et al. [19], who found

no increased remediation from a second round of messages

to network operators. We observe this effect occurred but only

5

the initial message contained little technical information about

the security issue and required a response, but also since it did

not contain any links (which likely increases the spam score).

Figure 4 shows how reports were accessed over time. We do

Bounced Emails — Unsurprisingly, widespread emailing to site

owners results in a number of bounced emails. For all notified

TABLE IV. NOTIFIED DOMAINS, VIEWED REPORTS (AND %), FIXED AFTER VIEW (VIEWED → FIXED)

to their corresponding addresses; for WordPress 1,906/12,442

(15.3%) bounced all attempts. These bounce rates differ neg-

ligibly between different notification groups.

Spam Filtering — An email may also be stopped by a spam

email access rates for the Git Tracking group bucketed by the

recipient mail provider, grouped by GMail, Microsoft-hosted

company mail servers, and all other providers. The results are

commensurate for WP, and elided for space.

For 477 domains, at least one email was sent to Google’s

mail servers. On Google’s GMail web interface, external

resources are retrieved by Google servers by default on email

open, except if the sender is deemed suspicious [15]. We

observe that the fraction of delivered emails that resulted in

image loads is four times higher for other mail providers com-

consistently for days after our messages were distributed. Thus

Google’s content-based spam filter appears to have filtered

out a significant fraction of our messages, highlighting the

significant impact spam filtering may have on security noti-

fications. While this observation may not be surprising, it is

important to note the operational similarities between security

notification campaigns and those done for marketing or spam.

Future coordination with mail providers may help distinguish

security notifications from other less desirable messages.

B. Human Aspects

TABLE V. TRACKING ANALYSIS PER PROVIDER FOR GIT

end up fixed. In contrast to our survey (see Section VI),

instead of providing an anonymous questionnaire, we reminded

operators about the unfixed vulnerabilities and asked if there

was anything we could do to help. In total, we contacted

360 domain operators this way. We only received a total

of 15 replies, but these nevertheless provided some insights.

Six domain operators said that they did not think it was

necessary to address the vulnerabilities, e.g., because they

were planning to move away from WordPress altogether. Three

answers indicated that the contact was not even aware of our

initial message, even though the report had been accessed

through misconfiguration of the web server). Moreover, one

recipient told us that he simply had forgotten about the problem

and another answered that our information was not trusted,

although they did follow the link to our web interface. As we

report in Section VI, our more methodical survey experiment

conveyed similar sentiments, particular on trust.

Correlating Update Frequency With Remediation — Word-

Press by default features an RSS feed, which is typically

accessible at domain.com/feed/ and shows recent site

changes such as new articles. We developed a small crawler

while 427 did not. For each domain, we then extracted the

number of days since the last content update relative to June

1st, 2017. Subsequently, we calculated the average time for

those domains that fixed and those that did not.

We found that sites which remediated after accessing a re-

port updated an average of 60 days priors, whereas vulnerable

domains averaged 115 days since their last update. This in

line with our hypothesis that webmasters of vulnerable WP

sites who do not react skew towards those that less actively

maintain their site or run such an outdated WordPress version

We conducted the same analysis for the control group,

finding minimal differences in the time since the last update be-

tween those who ended up fixing versus those who did not (119

days for fixed domains, 109 days for still vulnerable domains).

C. Tracking Analysis

The purpose of our Tracking group was primarily to under-

stand the conversion rate of email access compared to report

views. Table VI summarizes the remediation behavior condi-

tioned on email and report views. The top row Email Read

shows the total number of domains for which we verified that

the email was read. The two other rows distinguish between

domains that did and did not view the report, respectively.

From Reading an Email to Viewing a Report — For Git, from a

total of 1,548 Tracking notified domains, our email was opened

the hit on our tracking image, an additional 25 reports were

accessed without retrieving the image. For WP, out of 2,370

Tracking domains, 642 domains had at least one email read

(email reading rate of 27%), leading to 96 viewed reports

(report access rate of 15%); here, we observed an additional

22 viewed reports without the tracked image.

These findings are sobering, as they show that even if an

email was read, only 15–26% would investigate further by

viewing the report. Thus, even after overcoming the technical

challenges of successfully delivering a message to a recipient’s

external link only played a minor role in these results.

Fix Rates — Considering only those domains for which a

report was viewed (and the email was opened), we observe

that 74.42% and 33.33% of the issues were addressed for Git

and WP, respectively. This is in line with the results for all

other groups. The fix rate for WP domains which did receive

our email, but did not open the linked report, are in line with

the results for the control group (see Table II). Notably, the

outcome is different for the Git domains who opened the

email but did not view the report: 24.7% of these domains

The difference in the fix rates may be due to the varying na-

ture of the security issues. While the Git version control system

can be installed by a non-technical user. Thus, site operators

for Git domains may skew towards a better understanding of

the technical details about the reported issue compared to WP

webmasters. This may also explain the higher Git fix rate even

when viewing only the email. Additionally, our hypothesis that

the vulnerable WP sites are less actively maintained and run

outdated software may also be a contributing factor.

Usefulness of Generic Alias Addresses — RFC-specified

generic email aliases (such as security@) may not be con-

sistently available. To evaluate their effectiveness, we compare

the fraction of address recipients that accessed our emails and

our reports for WHOIS contacts versus generic aliases.

1) The email reading rate heavily depends on how many

8

2) The awareness raising factor of the campaign sets the

baseline for people being aware of the security problem,

largely influenced by the recipient’s trust in the email and,

consequently, if she considers the reported vulnerabilities

as serious (e.g., by viewing the detailed report).

3) The aware-to-fix rate, which was high (above 75%) for

Git, can be influenced by the type of report and type of