Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents

Walshe, Thomas; Simpson, Andrew

doi:10.1145/3586180

Cited by 2 publications

(1 citation statement)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first program type allows researchers to safely submit their reports to organisations without receiving cash rewards, and the latter offers monetary awards for unique (unknown) valid discoveries (Walshe & Simpson, 2022). Organisations operating bug bounty programs often fail to convey all the formal constraints applicable to hackers, requiring them to understand the laws underpinning safe and legal security research (Walshe & Simpson, 2023). Crowdsourcing security as a service through bug bounty platforms can enable this process safely and legally.…”

Section: Support Bug Bounty Programs and Platformsmentioning

confidence: 99%

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Zrahia

2024

Internet Policy Review

View full text Add to dashboard Cite

As societies become increasingly dependent on digital means, organisations seek ways to prevent software exploitation by eliminating vulnerabilities or acquiring them as products. However, there is an ongoing debate regarding the extent to which governments should become involved in markets for vulnerability sharing. This paper examines the economics of vulnerabilities and outlines possible areas for governmental interventions. I survey three policy alternatives to support the discovery and disclosure of software vulnerabilities: integrating security and penetration testing into the software development life cycle, acquiring exploitable critical vulnerabilities by governments, and promoting bug bounty programs and platforms as vulnerability-sharing structures. For each suggested alternative, I present an impact matrix to qualitatively measure the effectiveness and efficiency of the vulnerability discovery process and the attractiveness, legality and trustworthiness of the disclosure process. I argue that bug bounty programs that bring together organisations and ethical hackers to trade vulnerabilities produce the highest impact. These gig economy structures are often based on two-sided digital market platforms as their foundation and offer a low entry barrier and assurance level for both market players. The discussion provides a foundation for governmental decision-makers to design effective policies for sharing vulnerabilities. Issue 1 1. Examples include the National Cyber Security Centre (NCSC) in the UK, and the Cybersecurity and Infrastructure Security Agency (CISA) in the US.

show abstract

Section: Support Bug Bounty Programs and Platformsmentioning

confidence: 99%

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Zrahia

2024

Internet Policy Review

View full text Add to dashboard Cite

show abstract

Navigating vulnerability markets and bug bounty programs: a public policy perspective

Zrahia

2023

SSRN Journal

View full text Add to dashboard Cite

Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents

Cited by 2 publications

References 46 publications

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Navigating vulnerability markets and bug bounty programs: a public policy perspective

Contact Info

Product

Resources

About