The Rules of Engagement for Bug Bounty Programs

White hat hackers, also called ethical hackers, who find and report vulnerabilities to bug bounty programs have become a significant part of today’s security ecosystem. While the efforts of white hats contribute to heightened levels of security at the participating organizations, the white hats’ participation needs to be carefully managed to balance risks with anticipated benefits. One way, taken by organizations, to manage bug bounty programs is to create rules that aim to regulate the behavior of white hats, but also bind these organizations to certain actions (e.g., level of bounty payments). To the best of our knowledge, no research exists that studies the content of these program rules and their impact on the effectiveness of bug bounty programs.

[1]  Aron Laszka,et al.  Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms , 2016, ESORICS.

[2]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[3]  Zhao,et al.  Devising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery , 2017, Journal of Information Policy.

[4]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[5]  Sandy Clark,et al.  Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities , 2010, ACSAC '10.

[6]  E A Smith,et al.  Automated readability index. , 1967, AMRL-TR. Aerospace Medical Research Laboratories.

[7]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[8]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[9]  David C. Parkes,et al.  A market-based approach to software evolution , 2009, OOPSLA Companion.

[10]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[11]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[12]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[13]  Michael Siegel,et al.  Poster: Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs , 2016 .

[14]  Milton L. Mueller,et al.  Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities , 2014 .

[15]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[16]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[17]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[18]  Aron Laszka,et al.  Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs , 2016 .

[19]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[20]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[21]  R. Flesch A new readability yardstick. , 1948, The Journal of applied psychology.

[22]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[23]  G. Harry McLaughlin,et al.  SMOG Grading - A New Readability Formula. , 1969 .

[24]  Jia Zhang,et al.  Shifting to Mobile: Network-Based Empirical Study of Mobile Vulnerability Market , 2020, IEEE Transactions on Services Computing.