An Empirical Study of Web Vulnerability Discovery Ecosystems

In recent years, many organizations have established bounty programs that attract white hat hackers who contribute vulnerability reports of web systems. In this paper, we collect publicly available data of two representative web vulnerability discovery ecosystems (Wooyun and HackerOne) and study their characteristics, trajectory, and impact. We find that both ecosystems include large and continuously growing white hat communities which have provided significant contributions to organizations from a wide range of business sectors. We also analyze vulnerability trends, response and resolve behaviors, and reward structures of participating organizations. Our analysis based on the HackerOne dataset reveals that a considerable number of organizations exhibit decreasing trends for reported web vulnerabilities. We further conduct a regression study which shows that monetary incentives have a significantly positive correlation with the number of vulnerabilities reported. Finally, we make recommendations aimed at increasing participation by white hats and organizations in such ecosystems.

[1]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[2]  Serge Egelman,et al.  Markets for zero-day exploits: ethics and implications , 2013, NSPW '13.

[3]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[4]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[5]  Bill Fitzgerald Start with Security: A Guide for Business | Federal Trade Commission , 2015 .

[6]  Wouter Joosen,et al.  Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals , 2014, CCS.

[7]  Alfred J. Lotka,et al.  The frequency distribution of scientific productivity , 1926 .

[8]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[9]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[10]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[11]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[12]  Ming Fang,et al.  Discovering buffer overflow vulnerabilities in the wild: an empirical study , 2014, ESEM '14.

[13]  Aron Laszka,et al.  Should Cyber-Insurance Providers Invest in Software Security? , 2015, ESORICS.

[14]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[15]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[16]  Joseph Bonneau,et al.  The Password Game: Negative Externalities from Weak Password Practices , 2010, GameSec.

[17]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[18]  Ping Chen,et al.  Security Analysis of the Chinese Web: How well is it protected? , 2014, SafeConfig '14.

[19]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[20]  Guido Schryen,et al.  Is open source security a myth? , 2011, Commun. ACM.

[21]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[22]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[23]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[24]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.