Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs
نویسندگان
چکیده
Bug bounty programs have been proved effective in attracting external hackers to find and disclose potential flaws in a responsible way. There are many different bug bounty programs, so how do hackers balance diversity and concentration to effectively build their reputation in the vulnerability discovery ecosystem? In this paper, we present a novel methodology to understand how hackers spread their attention and earn bounties across different programs. The empirical result shows the relationship between diversity and concentration and suggests an effective strategy for hackers to work across multiple bug bounty programs. KeywordsBug Bounty Program, Vulnerability Discovery Ecosystem, Diversity or Concentration Strategy
منابع مشابه
Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs
Despite significant progress in software-engineering practices, software utilized for desktop and mobile computing remains insecure. At the same time, the consumer and business information handled by these programs is growing in its richness and monetization potential, which triggers significant privacy and security concerns. In response to these challenges, companies are increasingly harvestin...
متن کاملHackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes
Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software wo...
متن کاملBanishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms
Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between...
متن کاملEnter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts
Vulnerability reward programs, a.k.a. bug bounties, are a popular tool that could help prevent software exploits. Today, however, they lack rigorous principles for setting bounty amounts and require high payments to attract economically rational hackers. Rather than claim bounties for serious bugs, hackers often sell or exploit them. We present the Hydra Framework, the first general, principled...
متن کاملGiven enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs
Bug bounty programs offer a modern platform for organizations to crowdsource their software security and for security researchers to be fairly rewarded for the vulnerabilities they find. Little is known however on the incentives set by bug bounty programs: How they drive new bug discoveries, and how they supposedly improve security through the progressive exhaustion of discoverable vulnerabilit...
متن کامل