Daniel Votipka

PhD Student, Computer Science
University of Maryland, College Park

My research focuses on computer security, with an emphasis on the human factors affecting security workers. I'm interested in understanding the processes and mental models of professionals who perform security related tasks such as vulnerability discovery, network defense, and malware analysis to provide research-based recommendations for education, policy, and automation changes to best leverage human intelligence against challenging computer security problems.

Current Projects

Vulnerability Discovery

Finding security vulnerabilities in software is a critical task for any organization. Even though automated vulnerability discovery has made significant strides in recent years, human effort is still required. My goal is to develop a better understanding of how communities of practitioners discover (and report) software vulnerabilities. To understand the human factors of software vulnerability discovery, we are studying people with experience finding and reporting software vulnerabilities. This includes professional software testers, bug bounty program participants, Information Security professionals, and capture-the-flag competitors.

By understanding the methods, motivations, and learning processes of various practitioners, we aspire to illuminate best practices for eliminating bugs in code and develop better tools, training, and policies to support them.

Related Publications:
Toward a Field Study on the Impact of Hacking Competitions on Secure Development. Daniel Votipka, Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek. In WSIW 2018: Workshop on Security Information Workers. August 2018. To Appear.

The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level. Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, Michelle L. Mazurek. In USENIX Security 2018. The USENIX Security Symposium. Aug 2018. To Appear

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes. Daniel Votipka, Rock Stevens, Elissa M. Redmiles, Jeremy Hu, and Michelle L. Mazurek. In IEEE S&P 2018: IEEE Symposium on Security and Privacy. May 2018. Paper, Slides, Talk

Mobile App Privacy

Smartphone apps have access to a significant amount of sensitive user data (e.g., location, SMS messages). Mobile operating systems regulate access by informing users and asking for thier consent whenever an app would like to collect sensitive data (typically the first time a resource is required). Users must decide whether the requested access is necessary to provide a useful feature or too invasive on their privacy based on limited contextual information.

In this line of research, we first study how users currently make these decisions and then use our findings to develop improved analyses and visualizations to provide the information necessary to make informed decisions.

Related Publications:
User Comfort with Android Background Resource Accesses in Different Contexts. Daniel Votipka, Seth M. Rabin, Kristopher Micinski, Thomas Gilray, Michelle L. Mazurek, Jeffrey S. Foster. In SOUPS 2018: The Symposium on Usable Privacy and Security. Aug 2018. To Appear. Paper

User Interactions and Permission Use on Android. Kristopher Micinski, Daniel Votipka, Rock Stevens, Nikolaos Kofinas, Michelle L. Mazurek, and Jeffrey S. Foster. In CHI 2017: ACM Conference on Human Factors in Computing Systems. May 2017. PDF

Contact information

Email: dvotipka@...edu 3421 A.V. Williams Building
College Park, MD 20742


Maryland Cybersecurity Center (MC2)
Human-Computer Interaction Lab (HCIL)