Yangheran (Lawrence) Piao
Cybersecurity, Privacy and Trust PhD Student
About Me
I am Yangheran Piao[/jɑːŋ hə ɻæn piɑʊ/], a third-year PhD student at the School of Informatics, University of Edinburgh, under the supervision of Prof. Ross Anderson, Dr. Daniel W. Woods and Dr. Jingjie Li. My research interests include usable security, software supply chain security, security economics and cybercrime.
Currently, my work specifically investigates the behaviors and perceptions of key stakeholders in the vulnerability disclosure ecosystem, including the collective actions among hackers, the responses of vulnerability researchers to security laws, as well as the impact of these laws on them. I am also exploring AI vulnerability reporting practices and models.
News & Updates
Recent Publications
- Yangheran Piao, Jingjie Li, Daniel W. Woods. “Abuse Risks are Often Inherent to Product Features”: Exploring AI Vendors’ Bug Bounty and Responsible Disclosure Policies. In 35th USENIX Security Symposium (USENIX Sec’26), 2026.
- Yangheran Piao, Daniel W. Woods. Unfairness in the Bug Bounty Ecosystem: Problems, Metrics, and Solutions. In 24th Workshop on the Economics of Information Security (WEIS’25), 2025.
- Temima Hrle, Yangheran Piao, Daniel W. Woods. Anticipating Personal Cyber Insurance Disputes: A US/UK User Study. In 24th Workshop on the Economics of Information Security (WEIS’25), 2025.
- Yangheran Piao, Harita Lolla, Daniel W. Woods. The long shadow of the Computer Fraud and Abuse Act: Exploring user discussions on the legality of vulnerability research on Reddit. In Rossfest Festschrift for Ross Anderson, 2025.
- Yangheran Piao, Temima Hrle, Daniel W. Woods, Ross Anderson. Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem. In 46th IEEE Symposium on Security and Privacy (SP’25), 2024.
Service
- Reviewer:
- USENIX SEC 2026 (Sub)
- ACM CCS 2025 (External)
- ACM CHI 2026 (Poster)
- EuroUSEC 2025 (External)
- The Computer Journal (2024-2026)
Teaching
- Teaching Assistant & Co-Instructor:
- Security Engineering (INFR11208/11228, 72 students), University of Edinburgh, Spring 2024 & 2026
-
- Usable Security and Privacy (INFR11158/11230, 74 students), University of Edinburgh, Spring 2025
- Led the lecture on Vulnerability Research & Bug Bounty
- Usable Security and Privacy (INFR11158/11230, 74 students), University of Edinburgh, Spring 2025
-
- Computer Security (Level 11) (INFR11244, 35 students), University of Edinburgh, Autumn 2025
-
- Network Security (3150530011021, 52 students), Wuhan University, Spring 2020
- Master’s Thesis Advising:
- Harita Lolla, Navigating the Legal Barriers of Web Vulnerability Research (2023-2024)
- Bocheng Zhang, Exploring Reddit Users Perceptions about the Legality of Vulnerability Research (2023-2024)
Invited Talk
27/05/2026. Collective Dynamics in the Bug Bounty Ecosystem. Invited by King’s College London
21/05/2026. Exploring AI Vendors Bug Bounty and Responsible Disclosure Policies. Invited by University of Glasgow
21/04/2026. Ethics in Privacy and Security Research. Invited by Huazhong University of Science and Technology
11/09/2025. Exploring Cooperative Practices Among Security Researchers in Vulnerability Reward Programs. Invited by Tsinghua University
24/07/2024. Incentivizing vulnerability discovery through teaming and collaboration. Invited by Google Chrome
Great research is done with a shovel, not with tweezers
