Towards Multi-Stakeholder Vulnerability Notifications in the Ad-Tech Supply Chain

TL;DR

This study develops and evaluates a multi-stakeholder vulnerability notification system in the ad-tech supply chain, demonstrating its effectiveness in reducing dark pooling across different ecosystem participants.

Contribution

First implementation of an online advertising supply chain vulnerability notification pipeline to evaluate stakeholder responsiveness in a complex multi-stakeholder environment.

Findings

Notifications effectively reduce dark pooling vulnerabilities.

Ad-network responses are most responsive to notifications.

Sender reputation does not significantly affect stakeholder responses.

Abstract

Online advertising relies on a complex and opaque supply chain that involves multiple stakeholders, including advertisers, publishers, and ad-networks, each with distinct and sometimes conflicting incentives. Recent research has demonstrated the existence of ad-tech supply chain vulnerabilities such as dark pooling, where low-quality publishers bundle their ad inventory with higher-quality ones to mislead advertisers. We investigate the effectiveness of vulnerability notification campaigns aimed at mitigating dark pooling. Prior research on vulnerability notifications have primarily explored single-stakeholder contexts, leaving multi-stakeholder scenarios understudied. There is limited attention to complex multi-stakeholder supply chain ecosystems such as ad-tech supply chain, where resolving vulnerabilities often requires coordinated action across entities with misaligned incentives and interdependent roles. We address this gap by implementing the first online advertising supply chain vulnerability notification pipeline to systematically evaluate the responsiveness of various stakeholders in ad-tech supply chain, including publishers, ad-networks, and advertisers to vulnerability notifications by academics and activists. Our nine-month long automated multi-stakeholder notification study shows that notifications are an effective method for reducing dark pooling vulnerabilities in the online advertising ecosystem, especially when targeted towards ad-networks. Further, the sender reputation does not impact responses to notifications from activists and academics in a statistically different way. Overall, our research fosters industry-scale solution to combat ad inventory fraud and fosters future research on feasibility of multi-stakeholder vulnerability notifications in other supply chain ecosystems.