Identifying and Addressing Usability Vulnerabilities
Session Abstract
Security can fail even when code is correct. Drawing on work with SecureDrop, Qubes OS, and Mailvelope, this talk defines “usability vulnerabilities,” design flaws that cause unsafe behavior, and shows how open-source teams can detect and address them before release.
Session Description
Even well-engineered security tools can expose users to risk if design choices make safe actions unclear or burdensome. This talk examines how usability directly shapes security, based on Ura Design’s audits and field studies for SecureDrop, Qubes OS, and Mailvelope.
We define a usability vulnerability as a design flaw that predictably leads users to unsafe behavior, despite correct technical implementation. Examples include misleading encryption states, ambiguous trust cues, and compartmentalization patterns that break user mental models.
The session introduces a repeatable method for identifying and documenting such vulnerabilities within existing security review cycles. Attendees, including maintainers, designers, and security reviewers, will learn how to integrate usability findings into threat models, triage design issues with the same rigor as code CVEs, and prevent security regressions before they reach production.
