A website that rated security researchers based on their past achievements has decided to take down its controversial ranking after massive backlash from the information security (infosec) community.
Security
The ranking --put together by the team from Pwnhead.com-- scored security researchers by the number of security flaws they discovered (CVE numbers), GitHub account statistics, the popularity of their tools, number of security conference presentations, academic papers, books, and other factors.
The site launched the ranking at the start of the year, along with rankings for security conferences, companies, and countries.
In a blog post, Pwnhead's team said they wanted to create a "standardized review/scoring system in computer security scene [sic]" to allow security researchers a way to determine what security conferences are worth attending, what security companies have truly good reviews, and who are the best and most influential security researchers around.
Almost immediately after its launch, the site and its rankings came under massive criticism from the infosec community.
Security researchers reacted extremely negative to the site. Many called its ranking a flawed popularity contest that would create unneeded peer pressure. Other said the site that did nothing but promote the personality cult of the researchers who bothered to have and promote their public persona.
Others pointed out that the ranking was immensely incomplete because the vast majority of security researchers are under non-disclosure agreements (NDAs) and can't publish their work or even be active online.
For example, some researchers claimed they never wanted to present at conferences, and they didn't want a Pwnhead score hanging above their head to signify that they are inferior or less skilled than their peers.
Many called on the site's administrators to have their names removed from the site, citing anything from GDPR to a personal decision.
Security researchers also expressed fears that if the website's ranking would gain traction with companies or human resources departments, they would have problems getting a job, as they would not have the time to dedicate to being active in the areas Pwnhead used for its ranking criteria.
One of these potential employers reacted to the community's fears by going the other way, claiming they would never hire a person that had a profile on the site.
On Twitter, criticism went on and on for days, as readers can see from the small portion of tweets we selected for this article:
That #pwnhead list is of course some elitistic nonsense. I made the list but they base my score on dumpdecrypted - only one of many things i released over the years. Their whole ranking system is ridiculous and broken. Oh yeah and @matalaz is not north korean. pic.twitter.com/79YffaKmLj
— Stefan Esser (@i0n1c) January 13, 2019
if you’re a security conference even mildly supportive of the infosec community, demand to be removed from pwnhead.
— Wim Remes (@wimremes) January 14, 2019
Was this inspired by a Black Mirror episode? You're assigning a "social score" to researchers... The academic world tried this with several type of metrics and it's a bad idea.
— Mathy Vanhoef (@vanhoefm) January 12, 2019
Really bad idea to create a scoreboard like that, as security enthusiast I don't want to live in a world where you are monitored and/or ranked for your releases, really bad mentality
— Sh0ck (@Sh0ckFR) January 8, 2019
The idea behind it is good but your execution is poor. The entire community you're catering for is saying this isn't good, take some time to reorganize and come back better IMO.
— SirGravzy (@GravzyIT) January 13, 2019
Where are all the women? It's like Children of Men up in there
— Ian Coldwater 👻🌿✨ (@IanColdwater) January 13, 2019
Companies and conferences are fine but people. nah! This ain't helping anyone. Unnecessary stress and unwanted competition.
— Arun Magesh (@marunmagesh) January 12, 2019
What if pwnhead is just a troll site making fun of the ego driven elitism of this industry? If so, I wonder if they got the reaction they were expecting?
— Ryan Hanson (@ryHanson) January 14, 2019
But not all criticism was negative. Some researchers embraced the site, even creating profiles for themselves, however, the vast majority didn't want to have anything to do with the site.
After almost two weeks of criticism, the Pwnhead team decided to shut down the site in mid-January, after a Twitter poll showed that 82 percent of respondents wanted the rankings removed.
In an interview with ZDNet, one of the site's ten unnamed editors said they removed the ranking following the community's criticisms.
"No other factors involved. We felt bad for creating a bad energy in infosec," the Pwnhead editor told ZDNet. "Therefore, we removed the rankings."
The editor said they didn't receive any legal threats following the publication of the ego-bruising ranking, and that in the end, they officially received only two profile removal requests.
"We got lots of support message from various security experts," the spokesperson said. "I think they were afraid to write their opinions publicly since there was a lynch gang on Twitter."
The Pwnhead team also admitted that some of the criticism was warranted.
"Some people were right about their opinion," the Pwnhead editor said. "For example editor names was [sic] not public. They were right to ask our names.
"Some people saw it as a dystopic website, I understand that too. But I don't understand the others. I believe our scoring system was objective and rankings were making sense."
Asked if the researcher ranking will make a comeback in the future, the Pwnhead editor responded with an adamant no.
"But pwnhead will be an all-in-one catalog for infosec," they said.
And keeping true to their word, the website has transformed. Pwnhead is now a directory of known security researchers, conferences, and companies.
The security conferences ranking is still available, but nobody seems to have had a problem with it anyway since most security researchers already knew what security conferences were the best and which weren't worth their time.
A snapshot of the now-defunct Pwnhead homepage and its ranking is available below.
Cybercrime and malware, 2019 predictions
More security coverage:
- New security flaw impacts 5G, 4G, and 3G telephony protocols
- DOJ moves to take down Joanap botnet operated by North Korean state hackers
- Company selling social media 'likes' and 'followers' settles with US authorities
- Japanese government plans to hack into citizens' IoT devices
- DailyMotion discloses credential stuffing attack
- IoT botnet used in YouTube ad fraud scheme
- California governor signs country's first IoT security law CNET
- The Japanese government plans to hack into IoT devices TechRepublic