Pwnhead takes down controversial security researchers ranking after criticism

Infosec community reacts with anger at "unneeded" website ranking their skills.
Written by Catalin Cimpanu, Contributor
Pwnhead security researcher ranking

A website that rated security researchers based on their past achievements has decided to take down its controversial ranking after massive backlash from the information security (infosec) community.

The ranking --put together by the team from Pwnhead.com-- scored security researchers by the number of security flaws they discovered (CVE numbers), GitHub account statistics, the popularity of their tools, number of security conference presentations, academic papers, books, and other factors.

The site launched the ranking at the start of the year, along with rankings for security conferences, companies, and countries.

In a blog post, Pwnhead's team said they wanted to create a "standardized review/scoring system in computer security scene [sic]" to allow security researchers a way to determine what security conferences are worth attending, what security companies have truly good reviews, and who are the best and most influential security researchers around.

Almost immediately after its launch, the site and its rankings came under massive criticism from the infosec community.

Security researchers reacted extremely negative to the site. Many called its ranking a flawed popularity contest that would create unneeded peer pressure. Other said the site that did nothing but promote the personality cult of the researchers who bothered to have and promote their public persona.

Others pointed out that the ranking was immensely incomplete because the vast majority of security researchers are under non-disclosure agreements (NDAs) and can't publish their work or even be active online.

For example, some researchers claimed they never wanted to present at conferences, and they didn't want a Pwnhead score hanging above their head to signify that they are inferior or less skilled than their peers.

Many called on the site's administrators to have their names removed from the site, citing anything from GDPR to a personal decision.

Security researchers also expressed fears that if the website's ranking would gain traction with companies or human resources departments, they would have problems getting a job, as they would not have the time to dedicate to being active in the areas Pwnhead used for its ranking criteria.

One of these potential employers reacted to the community's fears by going the other way, claiming they would never hire a person that had a profile on the site.

On Twitter, criticism went on and on for days, as readers can see from the small portion of tweets we selected for this article:

But not all criticism was negative. Some researchers embraced the site, even creating profiles for themselves, however, the vast majority didn't want to have anything to do with the site.

After almost two weeks of criticism, the Pwnhead team decided to shut down the site in mid-January, after a Twitter poll showed that 82 percent of respondents wanted the rankings removed.

Pwnhead Twitter poll

In an interview with ZDNet, one of the site's ten unnamed editors said they removed the ranking following the community's criticisms.

"No other factors involved. We felt bad for creating a bad energy in infosec," the Pwnhead editor told ZDNet. "Therefore, we removed the rankings."

The editor said they didn't receive any legal threats following the publication of the ego-bruising ranking, and that in the end, they officially received only two profile removal requests.

"We got lots of support message from various security experts," the spokesperson said. "I think they were afraid to write their opinions publicly since there was a lynch gang on Twitter."

The Pwnhead team also admitted that some of the criticism was warranted.

"Some people were right about their opinion," the Pwnhead editor said. "For example editor names was [sic] not public. They were right to ask our names.

"Some people saw it as a dystopic website, I understand that too. But I don't understand the others. I believe our scoring system was objective and rankings were making sense."

Asked if the researcher ranking will make a comeback in the future, the Pwnhead editor responded with an adamant no.

"But pwnhead will be an all-in-one catalog for infosec," they said.

And keeping true to their word, the website has transformed. Pwnhead is now a directory of known security researchers, conferences, and companies.

The security conferences ranking is still available, but nobody seems to have had a problem with it anyway since most security researchers already knew what security conferences were the best and which weren't worth their time.

A snapshot of the now-defunct Pwnhead homepage and its ranking is available below.

Former Pwnhead front page

Cybercrime and malware, 2019 predictions

More security coverage:

Editorial standards