Web Science Challenges in Researching Bug Bounties

Fryer, Huw; Simperl, Elena

doi:10.1145/3091478.3091517

Cited by 13 publications

(10 citation statements)

References 25 publications

(39 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An increasingly popular approach to identifying vulnerabilities in software is to offer rewards to security researchers that are external to an organisation ('hackers') to find and disclose vulnerabilities [1]. This approach is now seeing adoption in areas such as e-voting systems, government systems and selfdriving cars [2]- [4].…”

Section: Introductionmentioning

confidence: 99%

“…The formal exchange of information in this context is typically facilitated by a bug bounty platform. The number of new bug bounty programs available on platforms such as HackerOne 1 has increased year-on-year since 2013 [8], with 50 new organisations launching a program in 2018. This increase is illustrated in Table I. As of January 2019, the top 25 companies using HackerOne have used the platform to obtain reports for over 19,000 vulnerabilities, at an average of 0.71 vulnerabilities reported for each day the program is run -resulting in $11.9 million being paid out to hackers for successfully finding vulnerabilities [8].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Empirical Study of Bug Bounty Programs

Walshe

Simpson

2020

2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF)

View full text Add to dashboard Cite

The task of identifying vulnerabilities is commonly outsourced to hackers participating in bug bounty programs. As of July 2019, bug bounty platforms such as HackerOne have over 200 publicly listed programs, with programs listed on HackerOne being responsible for the discovery of tens of thousands of vulnerabilities since 2013. We report the results of an empirical analysis that was undertaken using the data available from two bug bounty platforms to understand the costs and benefits of bug bounty programs both to participants and to organisations. We consider the economics of bug bounty programs, investigating the costs and benefits to those running such programs and the hackers that participate in finding vulnerabilities. We find that the average cost of operating a bug bounty program for a year is now less than the cost of hiring two additional software engineers.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

An Empirical Study of Bug Bounty Programs

Walshe

Simpson

2020

2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF)

View full text Add to dashboard Cite

show abstract

“…Figure 1 illustrates the most popular variants of the bug bounty process (Fryer and Simperl, 2017). While in process A the external hacker corresponds directly to the vendor, process B introduces an intermediate platform.…”

Section: Background 21 Bug Bounty Programsmentioning

confidence: 99%

“…Potentially, this issue is encouraged with admission to private programs. Consequently, these problems can be a significant detriment to the effectiveness of a program, often impeding the verification and triaging processes (Fryer and Simperl, 2017).…”

Section: Bug Bounty Issuesmentioning

confidence: 99%

“…Such events often coincide with scope increases. Providing solely monetary incentivisation during this event can lead to a significant signal-to-noise ratio impacting the effectiveness of this strategy (Fryer and Simperl, 2017). Nevertheless, this strategy could part or whole substitute monetary incentivisation for gamification elements.…”

Section: Aspects Of Gamificationmentioning

confidence: 99%

See 1 more Smart Citation

Proposal of a Novel Bug Bounty Implementation Using Gamification

O'Hare¹,

Shepherd²

2020

Preprint

View full text Add to dashboard Cite

Despite significant popularity, the bug bounty process has remained broadly unchanged since its inception, with limited implementation of gamification aspects. Existing literature recognises that current methods generate intensive resource demands, and can encounter issues impacting program effectiveness. This paper proposes a novel bug bounty process aiming to alleviate resource demands and mitigate inherent issues. Through the additional crowdsourcing of report verification where fellow hackers perform vulnerability verification and reproduction, the client organisation can reduce overheads at the cost of rewarding more participants. The incorporation of gamification elements provides a substitute for monetary rewards, as well as presenting possible mitigation of bug bounty program effectiveness issues. Collectively, traits of the proposed process appear appropriate for resource and budget-constrained organisations -such Higher Education institutions.

show abstract