How to best inform website owners about vulnerabilities on their websites

Background. Content management systems (CMS) provide default features that make it easy even for laypersons to create and maintain sophisticated websites [3]. But a CMS also poses a security risk. Not only can the CMS’s framework itself contain vulnerabilities. Also, there is a vast number of plugins and templates that may introduce vulnerabilities [3, 5]. We are looking for websites that are vulnerable to search engine Spam (SEO Spam) or Pharma Hacks, where an attacker deploys code on a website to redirect to fake web shops [11, 12]. The manipulation is not visible on the
genuine website, but the sites appear in the search engine results as shops selling illegal or banned drugs / medicines, luxurious brand-name clothing, or expensive appliances for cheap. Often, the malicious code is hidden within the CSS files of a website and cannot be easily found – even by skilled developers [11].

Aim. Since the problem is not easy to detect and only visible in a website’s search results, most website owners have to rely on vulnerability notifications by the security community to be informed about the manipulation. In trying to create suitable vulnerability notifications, with which we could inform the website owners about the security issues, we conducted 25 semi-structured interviews with affected website owners and discussed the perception of vulnerability notifications with them. ... mehrTo our knowledge, none of the experimental studies on vulnerability notifications [1, 4, 6–9, 13–21] have conducted qualitative interviews with affected website owners, to identify common themes and trust-promoting factors for a vulnerability notification. The motivation of our work was to answer the following research questions: (1) How did website owners perceive previous web vulnerability notifications? (2) What are suitable senders and communication channels that the website owners deem trustworthy? (3) What aspects should we consider in future notifications to be deemed trustworthy? Finally, by answering these questions, we aimed at designing a vulnerability notification that is suitable to informwebsite owners about the security issue on their website.