Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms
نویسندگان
چکیده
Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between white hats and organizations. To further improve the effectiveness of bug-bounty programs, we introduce a theoretical model for evaluating approaches for reducing the number of invalid reports. We develop an economic framework and investigate the strengths and weaknesses of existing canonical approaches for effectively incentivizing higher validation efforts by white hats. Finally, we introduce a novel approach, which may improve efficiency by enabling different white hats to exert validation effort at their individually optimal levels.
منابع مشابه
Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs
Bug bounty programs offer a modern platform for organizations to crowdsource their software security and for security researchers to be fairly rewarded for the vulnerabilities they find. Little is known however on the incentives set by bug bounty programs: How they drive new bug discoveries, and how they supposedly improve security through the progressive exhaustion of discoverable vulnerabilit...
متن کاملCrowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs
Despite significant progress in software-engineering practices, software utilized for desktop and mobile computing remains insecure. At the same time, the consumer and business information handled by these programs is growing in its richness and monetization potential, which triggers significant privacy and security concerns. In response to these challenges, companies are increasingly harvestin...
متن کاملDiversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs
Bug bounty programs have been proved effective in attracting external hackers to find and disclose potential flaws in a responsible way. There are many different bug bounty programs, so how do hackers balance diversity and concentration to effectively build their reputation in the vulnerability discovery ecosystem? In this paper, we present a novel methodology to understand how hackers spread t...
متن کاملNIZKCTF: A Non-Interactive Zero-Knowledge Capture the Flag Platform
Capture the Flag (CTF) competitions are educational and professional tools for the cybersecurity community. Unfortunately, CTF platforms suffer from the same security issues as other software components, what may give advantage to competitors who target the actual platform instead of the challenges. While it is arguable that successful attacks against the platform demonstrate relevant skills, t...
متن کاملHackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes
Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software wo...
متن کامل