Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery
Vulnerability discovery is an essential aspect of software security.
Currently, the demand for security experts significantly exceeds the available vulnerability discovery workforce.
Further, the existing vulnerability discovery workforce is dominated by white men. As such, it is imperative that we better understand the reasons for this lack of diversity to ensure equity of opportunities and fully leverage the capacity of the broader population. Although significant prior research has explored the challenges of equity and inclusion in computing broadly, the competitive and frequently self-taught nature of vulnerability discovery work may create new variations on these challenges. This talk reports on a pair of studies. First, I will discuss a semi-structured interview study (N = 16) investigating how people from marginalized populations come to participate in vulnerability discovery, whether they feel welcomed by the vulnerability discovery community, and what challenges they face when joining the community. We find members of marginalized populations face some unique challenges, while other challenges common in vulnerability discovery are exacerbated by marginalization. Then I will discuss preliminary results from a follow-up study surveying the general security community about positive and negative interactions they have had and what impact different communities have had on their development and pursuit of a career in security. We find that across genders, there were no noticeable differences in feelings of belonging. However, women experienced harassment at higher rates than men in instances related to 1) stereotyping based on perceived demographic characteristics, 2) written or spoken language that made them feel unwelcome, and 3) unsolicited sexual advance or comments.Please join meeting in Cummings 160. Zoom is not available for this event; please disregard the Zoom information included in the email.