A longitudinal study of hacker behaviour

Walshe, Thomas; Simpson, Andrew

doi:10.1145/3477314.3506968

Cited by 3 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A distrust of hackers by some organisations is also found by Tanczer (2020) . A lack of hacker motivation and a difficulty in maintaining participants is reported by Walshe and Simpson (2022) .…”

Section: Related Workmentioning

confidence: 96%

“…In exchange for the submission of a valid vulnerability report, hackers may be rewarded with monetary payouts, 'swag' (such as a company t-shirt), public recognition, or employment ( Hata et al, 2017 ). Although hackers may be motivated by the eye-catching rewards offered as payouts from many Bug Bounty Programmes (BBPs) ( Walshe and Simpson, 2022;Zhao et al, 2014 ), such as the $1,0 0 0,0 0 0 bounties offered by Apple ( Hern, 2019 ), some act out of altruism and report vulnerabilities to ensure the privacy, safety and security of the general public ( HackerOne, 2021 ).…”

Section: Introductionmentioning

confidence: 99%

“…Despite the widespread usage of CVD programmes and the increasing maturity of the security activity, there are still many barriers to adoption, including: large volumes of low quality reports ( Al-Banna et al, 2018 ), lack of hacker motivation ( Walshe and Simpson, 2022 ), high operating costs ( Walshe and Simpson, 2020 ), and a general distrust of hackers ( Follis and Fish, 2022 ). A qualitative study involving the operators of CVD programmes has the potential to both uncover the difficulties faced by operators during the pre-and post-launch phases and assess how effectively organisations are utilising their programmes.…”

Section: Introductionmentioning

confidence: 99%

“…These platforms act as centralised directories for programmes, allowing user-bases of hundreds-of-thousands of hackers to view pertinent information about an organisation's CVD policies and the extent to which hackers have participated in the past. As market participants, platforms help to resolve information asymmetries between programmes and hackers ( Wachs, 2022;Walshe and Simpson, 2022 ).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Walshe

Simpson²

2022

Computers & Security

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Walshe

Simpson²

2022

Computers & Security

View full text Add to dashboard Cite

Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents

Walshe

Simpson

2023

Digital Threats

View full text Add to dashboard Cite

Bug Bounty Programmes (BBPs) and Vulnerability Disclosure Programmes (VDPs), collectively referred to as Coordinated Vulnerability Disclosure (CVD) programmes, open up an organisation’s assets to the inquisitive gaze of (often eager) white-hat hackers. Motivated by the question What information do organisations convey to hackers through public CVD policy documents? , we aim to better understand the information available to hackers wishing to participate in the search for vulnerabilities. As such, in this paper we consider three key issues. First, to address the differences in the legal language communicated to hackers, it is necessary to understand the formal constraints by which hackers must abide. Second, it is beneficial to understand the variation that exists in the informal constraints that are communicated to hackers through a variety of institutional elements. Third, for organisations wishing to better understand the commonplace elements that form current policy documents, we offer broad analysis of the components frequently included therein and identify gaps in programme policies. We report the results of a quantitative study, leveraging deep learning based Natural Language Processing (NLP) models, providing insights into the policy documents that accompany the CVD programmes of thousands of organisations, covering both stand-alone programmes and those hosted on 13 BBPs. We found that organisations often inadequately convey the formal constraints that are applicable to hackers, requiring hackers to have a deep understanding of the laws that underpin safe and legal security research. Furthermore, a lack of standardisation across similar policy components is prevalent, and may lead to a decreased understanding of the informal constraints placed upon hackers when searching for and disclosing vulnerabilities. Analysis of the institutional elements included in the policy documents of organisations reveals insufficient inclusion of many key components. Namely, legal information and information pertaining to restrictions on the backgrounds of hackers is found to be absent in a majority of policies analysed. Finally, to assist ongoing research, we provide novel annotated policy datasets that include human-labelled annotations at the sentence- and paragraph-level, covering a broad range of CVD programme backgrounds.

show abstract

A Survey of Bug Bounty Programs in Strengthening Cybersecurity and Privacy in the Blockchain Industry

Arshad,

Talha,

Saleem

et al. 2024

Blockchains

View full text Add to dashboard Cite

The increasing reliance on computer networks and blockchain technology has led to a growing concern for cybersecurity and privacy. The emergence of zero-day vulnerabilities and unexpected exploits has highlighted the need for innovative solutions to combat these threats. Bug bounty programs have gained popularity as a cost-effective way to crowdsource the task of identifying vulnerabilities, providing a secure and efficient means of enhancing cybersecurity. This paper provides a comprehensive survey of various free and paid bug bounty programs in the computer networks and blockchain industry, evaluating their effectiveness, impact, and credibility. The study explores the structure, incentives, and nature of vulnerabilities uncovered by these programs, as well as their unique value proposition. A comparative analysis is conducted to identify advantages and disadvantages, highlighting the strengths and weaknesses of each program. The paper also examines the role of ethical hackers in bug bounty programs and their contributions to strengthening cybersecurity and privacy. Finally, the study concludes with recommendations for addressing the challenges faced by bug bounty programs and suggests potential future directions to enhance their impact on computer networks and blockchain security.

show abstract

A longitudinal study of hacker behaviour

Cited by 3 publications

References 21 publications

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents

A Survey of Bug Bounty Programs in Strengthening Cybersecurity and Privacy in the Blockchain Industry

Contact Info

Product

Resources

About