2026-03-17 –, Room bUm Box
Security can fail even when code is correct. Drawing on work with SecureDrop, Qubes OS, and Mailvelope, this talk defines “usability vulnerabilities,” design flaws that cause unsafe behavior, and shows how open-source teams can detect and address them before release.
Even well-engineered security tools can expose users to risk if design choices make safe actions unclear or burdensome. This talk examines how usability directly shapes security, based on Ura Design’s audits and field studies for SecureDrop, Qubes OS, and Mailvelope.
We define a usability vulnerability as a design flaw that predictably leads users to unsafe behavior, despite correct technical implementation. Examples include misleading encryption states, ambiguous trust cues, and compartmentalization patterns that break user mental models.
The session introduces a repeatable method for identifying and documenting such vulnerabilities within existing security review cycles. Attendees, including maintainers, designers, and security reviewers, will learn how to integrate usability findings into threat models, triage design issues with the same rigor as code CVEs, and prevent security regressions before they reach production.
Elio Qoshi founded Ura Design, a small studio that examines complex digital tools through usability forensics and whole-systems research. Before that, he worked as a User Experience Designer at Canonical, the company behind Ubuntu. With over twelve years of experience, Elio focuses on making complex digital tools more understandable and secure through user-centered research and design.
UX Designer driven by the complexity behind what feels simple, how systems and stories shape the way people experience technology. My work explores how design can make technical depth feel intuitive and clear. Published research author on privacy-preserving UX patterns, with its primary artifact being a UI/UX Privacy Pattern Catalog to help designers embed such patterns into everyday interfaces.