Lawrence Piao's Homepage

Cybersecurity, Privacy and Trust PhD Student

About Me

I am Yangheran Piao_{[/jɑːŋ hə ɻæn piɑʊ/]}, a second-year PhD studnet at the School of Informastic, University of Edinburgh, under the supervision of Prof. Ross Anderson, Dr. Daniel Woods and Dr. Jingjie Li. My research interests include usable security, software supply chain security, security economics and cybercrime.

For now, my work specifically investigates the behaviors and perceptions of key stakeholders in the vulnerability disclosure ecosystem, including the collective actions among hackers, the responses of vulnerability researchers to security laws, as well as the impact of these laws on them. I am also exploring AI vulnerability reporting practices and models.

News & Updates

06/2025 – Our papers titled “Anticipating personal cyber insurance disputes: A US/UK user study” and “Unfairness in the bug bounty ecosystem: Problems, metrics, and solutions” was presented at WEIS 2025, Tokyo, Japan.
03/2025 – I gave a presentation titled “The bug bounty manifesto: Collectivization and fairness” at Security Protocols Workshop XXIX in Cambridge. I also gave a brief talk on Ross’s research and activism regarding responsible disclosure at Rossfest Symposium.
09/2024 – My paper titled “Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem” has been accepted for IEEE S&P (Oakland) 2025.
07/2024 – My poster titled “Finding bugs with friends: Incentivizing vulnerability discovery through teaming and collaboration” was presented at PETS 2024, Bristol, UK.

Recent Publications

Yangheran Piao, Daniel W. Woods. Unfairness in the Bug Bounty Ecosystem: Problems, Metrics, and Solutions. In 24th Workshop on the Economics of Information Security (WEIS’25), 2025
Temima Hrle, Yangheran Piao, Daniel W. Woods. Anticipating Personal Cyber Insurance Disputes: A US/UK User Study. In 24th Workshop on the Economics of Information Security (WEIS’25), 2025
Yangheran Piao, Harita Lolla, Daniel W. Woods. The long shadow of the Computer Fraud and Abuse Act: Exploring user discussions on the legality of vulnerability research on Reddit. In Rossfest Festschrift for Ross Anderson, 2025
Yangheran Piao, Temima Hrle, Daniel W. Woods, Ross Anderson. Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem. In 46th IEEE Symposium on Security and Privacy (S&P’25), 2024

Teaching

Teaching Assistant & Co-Instructor:
- Computer Security (Level 11) (INFR11244), University of Edinburgh, Autumn 2025
- Usable Security and Privacy (INFR11158/11230, 74 students), University of Edinburgh, Spring 2025
  - Led the lecture on Vulnerability Research & Bug Bounty
- Security Engineering (INFR11208/11228, 72 students), University of Edinburgh, Spring 2024
  - Security Engineering — Third Edition (PDF)
  - Teaching Videos
- Network Security (3150530011021, 52 students), Wuhan University, Spring 2020
Master’s Thesis Advising:
- Harita Lolla (2023-2024)
- Bocheng Zhang (2023-2024)

Service

Reviewer:
- USENIX SEC 2026 (Sub)
- ACM CCS 2025 (External)
- EuroUSEC 2025 (External)
- The Computer Journal (2024,2025)
- The Journal of Supercomputing (2024)
- Social Network Analysis and Mining (2024)

Invited Talk

11/09/2025. Understanding Collective Dynamics in Vulnerability Reward Programs. Invited by Tsinghua University

24/07/2024. Exploring Teaming and Collaboration in the Bug Bounty Ecosystem. Invited by Google Chrome

Great research is done with a shovel, not with tweezers

— Roger Needham