August 5, 2015 · data analysis

A data-based analysis of Web Security news sources

So, Websec Weekly broke this week. It's had a few minor failures thus far, but this time, it was a total failure. The newsletter looked like this:

When I got the email myself, I felt terrible. Not only because my ~1.1k subscribers just got hit with a useless email, but also because I hadn't been keeping up with security disclosures on HackerOne and will now have to trawl through their "Hacktivity" feed to find out what's new.

I've fixed the bug that caused this weeks empty email and am working on more fixes to ensure that this doesn't happen again. If anyone is interested in why this happened, it was essentially due to the sinks (SQLite DB's) being overly large/corrupted. The fix was simple and only required me to move the old databases to a backup folder, then reinitiating the database creation scripts.

What I hadn't realised when starting Websec Weekly was that, for every week for the last six months or so, I've been gathering an immense amount of data that can be analysed or used by others.

The databases for Websec Weekly until this date can be found here:

wsw_data.zip

Let's do some basic analysis:

1) Who were the 10 most active researchers for HackerOne, from the periods December 2014 to August 2015?

SELECT hunter, count(*) FROM hacktivity group by hunter;

disclosure count - researcher  
111 - meals  
60 - mlitchfield  
36 - reactors08  
29 - sergeym  
23 - fin1te  
23 - shahmeer_amir  
20 - pranav_hivarekar  
20 - wesecureapp  
19 - panchocosil  
18 - batram  

2) What were some of the highest paid bounties on HackerOne publicly, from Dec 2014 to August 2015?

SELECT hunter, bounty FROM hacktivity group by hunter;

bounty - researcher - date - company  
$10,000 - biloulehibou - 23/02/15 - Internet Bug Bounty
$9,000 - ewok - 6/04/15 - Internet Bug Bounty
$7,500 - prosecco-inria - 1/04/15 - Internet Bug Bounty
$5,250 - a0005 - 21/05/15 - Slack
$5,040 - sehacure - 20/07/15 - Twitter
$5,040 - dalbin - 8/06/15 - Twitter
$5,000 - xknown - 3/04/15 - Slack
$5,000 - tfairane - 13/01/15 - Vimeo
$5,000 - dirtybit - 23/02/15 - Internet Bug Bounty
$5,000 - datokaa - 1/06/15 - Coinbase

3) Which companies closed the most bugs from December 2014 - August 2015?

SELECT company, count(*) FROM hacktivity group by company;

bugs closed - company  
481 - Yahoo  
155 - Twitter  
123 - QIWI  
113 - Vimeo  
85 - Mail.ru  
64 - Square  
56 - itBit Exchange  
55 - Slack  
55 - Internet Bug Bounty  
54 - Automattic  

4) What domains made the most appearances on /r/Netsec from December 2014 - August 2015?

SELECT domain, count(*) FROM posts group by domain;

count - domain  
117 - github.com  
15 - self.netsec  
14 - seclists  
13 - blogs.cisco.com  
13 - googleprojectzero.blogspot.com  
12 - sakurity.com  
10 - blog.netspi.com  
10 - translate.wooyun.io  
9 - randywestergren.com  
9 - labofapenetrationtester.com  

I find it interesting that both Cisco and Google Project Zero are one of the most posted. It supports arguments that Google Project Zero was created for marketing purposes.

5) What were the most answered questions on StackExchange Security?

SELECT title, answers FROM stackoverflow;

answers - title  
9 - Q: Is “password knocking” a good idea?  
9 - Q: Can an old operating system webserver be made secure?  
9 - Q: Why is a public key called a key - isn't it a lock? [on hold]  
8 - Q: Why must I have a “strong” password for sites like this? [duplicate]  
8 - Q: Is forcing users to use a strong password effective?  
8 - Q: PHP malware/shell keeps resurrecting [duplicate]  
8 - Q: Why do browsers default to http: and not https: for typed in URLs? [duplicate]  
8 - Q: Is it legal to start a private website for you and your friends to hack? [on hold]  
8 - Q: A person knows my IP address: how to save my data and address? [duplicate]  
8 - Q: Is “different usernames” as good as “different passwords”  

That's all for now. Some of these statistics were particularly interesting to me, maybe they provide some insight to you too. Additionally, Bugcrowd has also released their dataset over here. I haven't had the time to go through theirs thoroughly, but it would be cool to compare the data from HackerOne to them.

Enjoy the data :)

Comments powered by Disqus