“I believe it's incredibly difficult to fight against this flood of spam”: Towards enhancing strategies for creating effective vulnerability notifications

Identifying the most effective and scalable methods for notifying website owners about compromises or vulnerabilities remains an enduring challenge. Although some success factors have been identified, results regarding effective senders and notification framing are often inconsistent, and the understanding of how recipients perceive vulnerability notifications is still limited. Heading towards a better understanding, we conducted a 3 × 3 randomized controlled notification experiment, examining the impact of three distinct senders and three variations of notification framings for n=581 compromised German websites. Our findings revealed a promising trend: receiving any notification significantly increased remediation compared to the absence of one. Remarkably, the choice of sender and framing played only a minor role in our notification experiment, which underscores the importance of notifying compromised websites and should motivate those who find vulnerabilities to take action. Yet, despite these encouraging results, a staggering 58% of the notified websites failed to remediate. To delve deeper into this phenomenon, we conducted follow-up interviews with 42 website owners who did not remediate their websites. The insights were revealing: while our notifications were delivered, many interviewees admitted they either overlooked or dismissed them as spam. This pattern persisted across different senders and framings, highlighting a critical challenge for future notification campaigns. Moving forward, future research should focus on finding ways to cut through the overwhelming amount of daily “spam” and explore strategies for how notifications can effectively convey their importance in recipients’ inboxes. Exploring strategies to raise the general awareness for cybersecurity, encouraging website owners to provide a security.txt, or providing additional assistance in the form of a self-service tool, are some proposals to increase remediation rates. We further recommend that future work should consider theories from communication science or psychology, e.g., Protection Motivation Theory (PMT) or the Elaboration-Likelihood Model, when designing notification campaigns.