Behind the Curtain: How Shared Hosting Providers Respond to Vulnerability Notifications

TL;DR

This paper shifts vulnerability notification research from optimizing sender-side campaigns to examining how hosting providers receive and process notifications. Through 24 semi-structured interviews with diverse HPOs, it reveals that remediation is shaped more by service boundaries, cost pressures, and the belief that application security lies with customers than by reachability or technical hurdles. The study highlights a misalignment between researchers' goals and HPO business logic, and discusses implications for improving awareness, targeting responsible parties, and reducing remediation costs. Overall, effective remediation will require aligning incentives across reporters, providers, and end users, in addition to improving notification reachability. The findings offer practical insights for designing VN practices and inform future research on cross-stakeholder security governance.

Abstract

Large-scale vulnerability notifications (VNs) can help hosting provider organizations (HPOs) identify and remediate security vulnerabilities that attackers can exploit in data breaches or phishing campaigns. Previous VN studies have primarily focused on factors under the control of reporters, such as sender reputation, email formatting, and communication channels. Despite these efforts, remediation rates for vulnerability notifications continue to remain consistently low. This paper presents the first in-depth study of how HPOs process vulnerability notifications internally and what organizational and operational factors influence VN effectiveness. We examine the problem from a different perspective to provide the first detailed understanding of the reasons behind persistently low remediation rates. Instead of manipulating parameters of VN campaigns, we interview hosting providers directly, investigating how they handle vulnerability notifications and what factors may influence VN effectiveness, such as VN awareness and reachability, HPOs' service models, and perceived security risks. We conducted semi-structured interviews with 24 HPOs across shared hosting and web development services, representing varied company sizes and operator roles. Our findings reveal practical insights on VN processing and abuse workflows. While some providers remain hard to reach due to complex infrastructures, most report routinely handling VNs. However, limited remediation often stems from strict responsibility boundaries, where web application issues are seen as the customer's domain. Low hosting fees and high volumes of daily compromises further discourage both proactive and reactive measures. Our findings show that HPOs blame negligent website owners, and prior works on website owners confirms they often undervalue their sites or lack security know-how.

Figures (2)

• Figure 1: VN creation process based on provider feedback. The sender’s email is only relevant if it raises red flags; the body’s evidence is most important. On the left, the diagram shows how the email’s routing depends on the recipient: if the HPO owns the IP range (per WHOIS), they can be contacted directly. Otherwise, the VN is sent to the infrastructure provider (i.e., the IP range owner, e.g., a data center or cloud provider), who acts as an intermediary and must forward the message to the affected HPO.
• Figure 2: Notification handling workflow. Incoming reports are analyzed by abuse teams and abusive content taken down, with further actions depending on the HPO. Reports are otherwise forwarded to customers, and escalation to customer support depend on user action and contract terms.