A data-based analysis of Web Security news sources
So, Websec Weekly broke this week. It's had a few minor failures thus far, but this time, it was a total failure. The newsletter looked like this:
When I got the email myself, I felt terrible. Not only because my ~1.1k subscribers just got hit with a useless email, but also because I hadn't been keeping up with security disclosures on HackerOne and will now have to trawl through their "Hacktivity" feed to find out what's new.
I've fixed the bug that caused this weeks empty email and am working on more fixes to ensure that this doesn't happen again. If anyone is interested in why this happened, it was essentially due to the sinks (SQLite DB's) being overly large/corrupted. The fix was simple and only required me to move the old databases to a backup folder, then reinitiating the database creation scripts.
What I hadn't realised when starting Websec Weekly was that, for every week for the last six months or so, I've been gathering an immense amount of data that can be analysed or used by others.
The databases for Websec Weekly until this date can be found here:
Let's do some basic analysis:
1) Who were the 10 most active researchers for HackerOne, from the periods December 2014 to August 2015?
SELECT hunter, count(*) FROM hacktivity group by hunter;
disclosure count - researcher 111 - meals 60 - mlitchfield 36 - reactors08 29 - sergeym 23 - fin1te 23 - shahmeer_amir 20 - pranav_hivarekar 20 - wesecureapp 19 - panchocosil 18 - batram
2) What were some of the highest paid bounties on HackerOne publicly, from Dec 2014 to August 2015?
SELECT hunter, bounty FROM hacktivity group by hunter;
bounty - researcher - date - company $10,000 - biloulehibou - 23/02/15 - Internet Bug Bounty $9,000 - ewok - 6/04/15 - Internet Bug Bounty $7,500 - prosecco-inria - 1/04/15 - Internet Bug Bounty $5,250 - a0005 - 21/05/15 - Slack $5,040 - sehacure - 20/07/15 - Twitter $5,040 - dalbin - 8/06/15 - Twitter $5,000 - xknown - 3/04/15 - Slack $5,000 - tfairane - 13/01/15 - Vimeo $5,000 - dirtybit - 23/02/15 - Internet Bug Bounty $5,000 - datokaa - 1/06/15 - Coinbase
3) Which companies closed the most bugs from December 2014 - August 2015?
SELECT company, count(*) FROM hacktivity group by company;
bugs closed - company 481 - Yahoo 155 - Twitter 123 - QIWI 113 - Vimeo 85 - Mail.ru 64 - Square 56 - itBit Exchange 55 - Slack 55 - Internet Bug Bounty 54 - Automattic
4) What domains made the most appearances on /r/Netsec from December 2014 - August 2015?
SELECT domain, count(*) FROM posts group by domain;
count - domain 117 - github.com 15 - self.netsec 14 - seclists 13 - blogs.cisco.com 13 - googleprojectzero.blogspot.com 12 - sakurity.com 10 - blog.netspi.com 10 - translate.wooyun.io 9 - randywestergren.com 9 - labofapenetrationtester.com
I find it interesting that both Cisco and Google Project Zero are one of the most posted. It supports arguments that Google Project Zero was created for marketing purposes.
5) What were the most answered questions on StackExchange Security?
SELECT title, answers FROM stackoverflow;
answers - title 9 - Q: Is “password knocking” a good idea? 9 - Q: Can an old operating system webserver be made secure? 9 - Q: Why is a public key called a key - isn't it a lock? [on hold] 8 - Q: Why must I have a “strong” password for sites like this? [duplicate] 8 - Q: Is forcing users to use a strong password effective? 8 - Q: PHP malware/shell keeps resurrecting [duplicate] 8 - Q: Why do browsers default to http: and not https: for typed in URLs? [duplicate] 8 - Q: Is it legal to start a private website for you and your friends to hack? [on hold] 8 - Q: A person knows my IP address: how to save my data and address? [duplicate] 8 - Q: Is “different usernames” as good as “different passwords”
That's all for now. Some of these statistics were particularly interesting to me, maybe they provide some insight to you too. Additionally, Bugcrowd has also released their dataset over here. I haven't had the time to go through theirs thoroughly, but it would be cool to compare the data from HackerOne to them.
Enjoy the data :)