Developing a gamified peer-reviewed bug bounty programme

Bug bounty processes have remained broadly unchanged since their inception. Existing literature recognises that current methods generate intensive resource demands, impacting upon programme effectiveness. This paper proposes a novel implementation which aims to alleviate resource demands and mitigate inherent issues through gamification. This incorporates the use of additional crowdsourcing of vulnerability verification and reproduction by peers, allowing the client organisation to reduce overheads at the cost of rewarding participants. The system has the potential to be used in Higher Education Institutions which typically face resource and budget constraints

A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities

Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.Comment: 17th Annual Workshop on the Economics of Information Security, Innsbruck, https://weis2018.econinfosec.org

A Knowledge Graph to Represent Software Vulnerabilities

Over the past decade, there has been a major shift towards the globalization of the software industry, by allowing code to be shared and reused across project boundaries. This global code reuse can take on various forms, include components or libraries which are publicly available on the Internet. However, this code reuse also comes with new challenges, since not only code but also vulnerabilities these components might be exposed to are shared. The software engineering community has attempted to address this challenge by introducing bug bounty platforms and software vulnerability repositories, to help organizations manage known vulnerabilities in their systems. However, with the ever-increasing number of vulnerabilities and information related to these vulnerabilities, it has become inherently more difficult to synthesize this knowledge. Knowledge Graphs and their supporting technology stack have been promoted as one possible solution to model, integrate, and support interoperability among heterogeneous data sources. In this thesis, we introduce a methodology that takes advantage of knowledge graphs to integrate resources related to known software vulnerabilities. More specifically, this thesis takes advantage of knowledge graphs to introduce a unified representation that transforms traditional information silos (e.g., VDBs, bug bounty programs) and transforms them in information hubs. Several use cases are presented to illustrate the applicability and flexibility of our modeling approach, demonstrating that the presented knowledge modeling approach can indeed unify heterogeneous vulnerability data sources and enable new types of vulnerability analysis

Web science challenges in researching bug bounties

The act of searching for security flaws (vulnerabilities) in a piece of software was previously considered to be the preserve of malicious actors, or at least actors who wished to cause chaos. Increasingly, however, companies are recognising the value of running a bug bounty program, where they will pay "white hat" hackers to locate and disclose security flaws in their applications in order that they can fix it. This is known as a "bug bounty" or a "vulnerability reward program", and at present has seen comparatively little research. This paper introduces two existing research on bug bounties in two areas: as a means of regulating the sale of vulnerabilities; and as a form of crowdsourcing. We argue that the nature of bug bounties makes Web science particularly suitable to drive forward research. We identify gaps in the current literature, and propose areas which we consider to be particularly promising for future research

Bug bounty -ohjelmat osana julkishallinnon tietoturvaa

Tässä tutkimuksessa perehdytään bug bounty -ohjelmien käyttämiseen julkishallinnossa. Tutkimuksessa selvitetään, mitä bug bounty -ohjelmat ovat, miten ne toimivat ja mitä hyötyjä ja riskejä niiden käyttämiseen liittyy. Tämän ohella perehdytään tietoturvaan teoreettisesta näkökulmasta, sekä julkishallinnon ja tietoturvan väliseen yhteyteen. Lisäksi käydään läpi tieto- ja viestintärikoksia koskevaa lainsäädäntöä peilaten sitä ohjelmiin osallistumiseen ja ohjelmien järjestämiseen. Tutkimuksen tarkoituksena on selvittää, millä perusteilla bug bounty -ohjelmien järjestäminen ja niihin osallistuminen kotimaisessa julkishallinnossa ovat Suomen lain mukaisia. Lisäksi tarkoituksena on vastata kysymykseen, kuka päättää ohjelman käynnistämisestä julkishallinnossa. Taustatavoitteena on myös tuoda bug bounty -ohjelmia tai julkishallinnon tietojärjestelmiin liittyviä tietoturvaliitännäisiä yksityiskohtia yleisesti ottaen tiettävämmäksi juridiikan kentällä. Tutkimus edustaa oikeusinformatiikan tutkimusalaa. Oikeudenaloista tutkimus voidaan asemoida informaatio-oikeuden ja ICT-oikeuden rajapinnalle. Näitä kolmea yhdistää kiinnostus taloustieteellistä näkökulmaa kohtaan, mistä syystä tutkimuksessa on perehdytty ohjelmien järjestämiseen myös taloustieteen perspektiivistä. Tutkimuksen rikosoikeudellista osiota sen sijaan on lähestytty oikeusdogmatiikan näkökulmasta. Lähdemateriaali koostuu suurelta osin ICT-alan bug bounty -ohjelmia tai muuta tietoturvan testausta käsittelevistä artikkeleista, sillä aihetta on lähestytty juridiikan näkökulmasta vain vähäisesti myös kansainvälisellä tasolla. Erityisesti tutkimuksen rikosoikeudellisen analyysin kohdalla myös Verohallinnon Tulorekisteriä koskevan ohjelman sääntöjä on käytetty lähteenä, rikoslain kriminalisointeja näihin sääntöihin peilattaessa. Kuten jo tutkimuksen otsikosta käy ilmi, bug bounty -ohjelmat voivat olla osa julkishallinnossa käytettävien tietojärjestelmien tietoturvaa – yksinään ne eivät riitä, vaan tietoturvan ylläpidossa ja testaamisessa on käytettävä myös muita menetelmiä. Tietojärjestelmän tuotantoympäristöön kohdistuvan bug bounty -ohjelman järjestäminen ja ohjelmaan osallistuminen on pääsääntöisesti voimassaolevan lainsäädännön mukaista toimintaa, tiettyjen rikosoikeudellisten kriminalisointien kohdalla ohjelmaan osallistuva henkilö saattaa kuitenkin syyllistyä rikokseen. Erityisesti on korostettava ohjelman sääntöjen merkitystä loukatun suostumuksen lähteenä: ohjelmien sääntöjen laatimisen kohdalla tulisi vastaisuudessa kiinnittää tarkemmin huomiota juridisiin yksityiskohtiin

Web science challenges in researching bug bounties

The act of searching for security flaws (vulnerabilities) in a piece of software was previously considered to be the preserve of malicious actors, or at least actors who wished to cause chaos. Increasingly, however, companies are recognising the value of running a bug bounty program, where they will pay "white hat" hackers to locate and disclose security flaws in their applications in order that they can fix it. This is known as a "bug bounty" or a "vulnerability reward program", and at present has seen comparatively little research. This paper introduces two existing research on bug bounties in two areas: as a means of regulating the sale of vulnerabilities; and as a form of crowdsourcing. We argue that the nature of bug bounties makes Web science particularly suitable to drive forward research. We identify gaps in the current literature, and propose areas which we consider to be particularly promising for future research

Supporting data-driven software development life-cycles with bug bounty programmes

A growing number of organisations are utilising the skills of a global base of white-hat hackers in order to identify pre- and post-deployment vulnerabilities. Despite the widespread adoption of bug bounty programmes, there remain many uncertainties regarding the efficacy of this relatively novel security activity, especially when considering their adoption alongside existing software development lifecycles. This dissertation explores how bug bounty programmes can be used to support data-driven software development lifecycles. To achieve this outcome, the dissertation presents four distinct contributions. The first contribution concerns the usage of Crowdsourced Vulnerability Discovery (CVD) (of which bug bounty programmes are a part) within organisations. This includes the presentation of expert opinion pertaining to the benefits and shortcomings of existing approaches, and identification of the extent to which CVD programmes are used in software development lifecycles. The second contribution explores the benefits and drawbacks of hosting a programme on a bug bounty platform (a centralised repository of programmes operated by a third party). Empirical analysis of operating characteristics helps address concerns around the long-term viability of programme operation, and allows for a comparison to be made between the cost of expanding a security team and the cost of running a programme. The third contribution examines the extent to which participating in the search for vulnerabilities is a viable long-term strategy for hackers based on bug bounty platforms. The results demonstrate that participation is infeasible, even on a short-term basis, for significant numbers of hackers, highlighting the shortcomings of the current approach used by platforms. Building on the first three, the fourth contribution explores CVD programme policies, and the extent to which pertinent information, particularly in reference to legal constraints, is communicated to hackers. A systematic review reveals the commonplace elements that form current policy documents, enabling organisations to identify gaps within their own programme policies and form policies that are consistent with peers