Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities

Kuehn, Andreas; Mueller, Milton

doi:10.2139/ssrn.2418812

Cited by 18 publications

(18 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Warning systems for various types of cyber attacks facilitated by cyber emergency response teams, active (and twoway) private-sector information sharing and collaboration on identifying and spreading cybersecurity best practices, and a robust cyber hygiene campaign may be considered other essential elements of cybersecurity due diligence. Other best practices include partioning access to code and systems, audits and regular penetration testing, and promoting redundancy and parallel network construction to build further resiliency, as well as harnessing cybersecurity expertise beyond one's own organizational boundaries through bug bounty and vulnerability reward programs (Westervelt, 2013, Kuehn & Mueller, 2014. The NIST Framework, and the related standards it references, provides a conceptual toolbox to identify gaps in an organization's cybersecurity readiness that both public and private sector actors should be aware, along with the German BSI Standards and Chinese equivalents.…”

Section: Resultsmentioning

confidence: 99%

Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector

Shackelford

Russell

Kuehn

2016

Ethics and Policies for Cyber Operations

Self Cite

View full text Add to dashboard Cite

Although there has been a relative abundance of work done on exploring the contours of the law of cyber war, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations' due diligence obligations are to their respective private sectors and to one another. The International Court of Justice ("ICJ") has not explicitly considered the legality of cyber weapons to this point, though it has ruled in the Corfu Channel case that one country's territory should not be "used for acts that unlawfully harm other States." But what steps exactly do nations and companies under their jurisdiction have to take under international law to secure their networks, and what of the rights and responsibilities of transit states? This Article reviews the arguments surrounding the creation of a cybersecurity due diligence norm and argues for a proactive regime that takes into account the common but differentiated responsibilities of public-and private-sector actors in cyberspace. The analogy is drawn to cybersecurity due diligence in the private sector and the experience of the 2014 National Institute of Standards and Technology ("NIST") Framework to help guide and broaden the discussion.

show abstract

Section: Resultsmentioning

confidence: 99%

Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector

Shackelford

Russell

Kuehn

2016

Ethics and Policies for Cyber Operations

Self Cite

View full text Add to dashboard Cite

show abstract

“…Discussions are often speculative or based on what is discovered after the vulnerability has been exploited and detected in an attack. 6 While some heuristic models have been created to examine the depletion rate of software vulnerabilities (Libicki, Ablon, and Webb, 2015), game theoretic outcomes of stockpiling (Moore, Friedman, and Procaccia, 2010), the collision rate in various code bases (Moussouris and Siegel, 2015), and the general economics of software vulnerabilities (Kuehn and Mueller, 2014), no publicly available research on this topic has been based on actual data about current zero-day vulnerabilities. In this report, we provide data-driven insights into zero-day vulnerabilities that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, and inform ongoing policy discussions surrounding zero-day vulnerabilities regarding stockpiling and vulnerability disclosure.…”

Section: Little Is Known About the Extent Use Benefit Or Harm Of Zmentioning

confidence: 99%

“…11 Others have discussed the benefits and challenges of disclosure versus retention (Schneier, 2014), explored the various markets (Fidler, Granick, and Crenshaw, 2014;Kuehn and Mueller, 2014;Libicki, Ablon, and Webb, 2015), examined the vulnerabilities equities process (Schwartz and Knake, 2016), investigated the role of disclosure in improving or undermining security (Ransbotham and Mitre, 2011), reviewed the specific recommendations regarding software exploits from the U.S. President's Review Group (Clark et al, 2013), held industry round tables on the topic (Zetter, 2015), and opined on whether the government holding zero-day vulnerabilities weakens digital security (Crocker, 2016). 10 More in-depth discussion of overlap follows later in this chapter.…”

Section: There Are Many Considerations That Stakeholders Want Addressedmentioning

confidence: 99%

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

Ablon¹,

Bogart²

2017

View full text Add to dashboard Cite

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org For more information on this publication, visit www.rand.org/t/RR1751Library of Congress Cataloging-in-Publication Data is available for this publication.ISBN: 978-0-8330-9761-3 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2017 RAND CorporationR® is a registered trademark. Cover: Composite image by Eileen Delson La Russo. Adapted from images by Agil_Leonardo, Matejmo, and Byakkaya; courtesy of Getty Images.iii PrefaceThere is an ongoing policy debate over whether the U.S. government-or any government-should retain so-called zero-day software vulnerabilities or disclose them so they can be patched. 1 Those who have knowledge of a zero-day vulnerability may create "exploits"-code that takes advantage of the vulnerability-to access other parts of a system, execute their own code, act as an administrator, or perform some other action, but many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to collect their private information. Furthermore, cybersecurity and the liability that might result from attacks, hacks, and data breaches using zero-day vulnerabilities have substantial implications for U.S. consumers, companies, and insurers, and for the civil justice system broadly.The debate of whether to retain or disclose these vulnerabilities is often fueled by how much overlap there might be between the zero-day vulnerabilities or exploits the U.S. government keeps and those its adversaries are stockpiling. If both sides have the same stockpiles, then some argue that there is little point to keeping them privatewhereas a smaller overlap might justify retention. But without information on the overlap, or concrete metrics based on actual data, it is challenging to make a well-informed decision about stockpiling.To address this question, RAND obtained rare access to a dataset of information about zero-day software vulnerabilities and exploits. In this report, we explore the dataset using novel applications ...

show abstract

“…Two reports by Ring illustrated this in further detail, discussing the competing opinion of whether companies should o er bounties to vulnerability research -and additionally of some companies prosecuting those discovering vulnerabilities [32,33]. Kuehn & Mueller [16,17] consider the changing dynamics in information security towards bug bounties being considered a norm. After case studies on Microsoft & Facebook's bug bounty they conclude that bug bounty programs exist as a way of reducing uncertainty when exchanging an information good as a reason for their development.…”

Section: Literaturementioning

confidence: 99%

Web Science Challenges in Researching Bug Bounties

Fryer

Simperl

2017

Proceedings of the 2017 ACM on Web Science Conference

View full text Add to dashboard Cite

The act of searching for security aws (vulnerabilities) in a piece of software was previously considered to be the preserve of malicious actors, or at least actors who wished to cause chaos. Increasingly, however, companies are recognising the value of running a bug bounty program, where they will pay 'white hat' hackers to locate and disclose security aws in their applications in order that they can x it. This is known as a 'bug bounty' or a 'vulnerability reward program', and at present has seen comparatively little research. This paper introduces two existing research on bug bounties in two areas: as a means of regulating the sale of vulnerabilities; and as a form of crowdsourcing. We argue that the nature of bug bounties makes Web science particularly suitable to drive forward research. We identify gaps in the current literature, and propose areas which we consider to be particularly promising for future research. CCS Concepts: • Information systems → Crowdsourcing; • Security and privacy → Social aspects of security and privacy;

show abstract

Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities

Cited by 18 publications

References 7 publications

Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector

Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

Web Science Challenges in Researching Bug Bounties

Contact Info

Product

Resources

About