We are looking for participants for this interview study on considerations on unintended consequences in maintaining and developing offensive security software!

We are looking for people who…

• have been maintainers of offensive security software
• are 18 years of age or older
• are comfortable participating in an interview on this topic in English

Participants will…

• fill in a short preparatory questionnaire

• book a time slot for an interview of about 60 minutes

• answer questions on their experiences and opinions during the interview

• be offered a compensation of $60 for their time. We can offer the following options:

  • Amazon vouchers for EU, US, or UK
  • SEPA transfer
  • PayPal

  Please be aware that we cannot reimburse you for any transaction fees that might occur, depending on your choice of compensation.

About this study #

In this interview study we want to examine the considerations on unintended consequences involved in developing and releasing offensive security software, including penetration testing tools, exploits and proof-of-concept code. Our aim is to explore how these open-source tools are maintained and how developers of offensive security software perceive and deal with these dual-use dilemmas.

Motivation #

Although offensive security software is essential for legitimate cybersecurity research and can be used to strengthen defences and enhance system security, it is also utilised by malicious actors to exploit vulnerabilities and launch cyberattacks. The dual-use nature of these tools, where the intended and actual uses diverge, highlights the need for a critical examination of the implications on unintended consequences of their development and release. Our aim is to use these insights to gain a better understanding of the motivations and considerations on unintended consequences of developers of offensive security tools.

Research Questions #

• RQ1: Which offensive security/hacker tooling is available on GitHub?
• RQ2: What are the motivations, experiences, practices, and challenges of maintainers of such tooling?
• RQ3: How do maintainers of open-source offensive security tools deal with potential unintended consequences of their projects?

Study procedure and participation #

We value and appreciate your contribution to our study. As mentioned above, participation involves completing a short sign-up questionnaire, which should take 5–10 minutes. Once you have completed the questionnaire, you can select an interview time from the available slots. The interview itself will take about 60 minutes. During the interview, we are interested in your considerations and opinions on unintended consequences surrounding the dual use of these tools.

We are committed to maintaining your privacy and the confidentiality of all data you provide. We will only use short quotes from the interviews in our publication with your approval, and make sure that you cannot be identified from our reporting. After the interview, we offer a compensation of $60 for your time and effort.

Who we are #

We are a research team from the state-funded CISPA Helmholtz Center for Information Security in Germany. Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.