A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities

Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.

[1]  Matthew Finifter Exploring the Relationship Between Web Application Development Tools and Security , 2011, WebApps.

[2]  Elena Paslaru Bontas Simperl,et al.  Web Science Challenges in Researching Bug Bounties , 2017, WebSci.

[3]  Masahiro Nakajima,et al.  A Support Environment and a Trial Practice of Hacking Contest with Attack and Defense Style on a Game Website , 2017, 2017 21st International Conference Information Visualisation (IV).

[4]  Rebeca Méndez-Durón,et al.  Returns from social capital in open source software networks , 2009 .

[5]  Serge Egelman,et al.  Markets for zero-day exploits: ethics and implications , 2013, NSPW '13.

[6]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[7]  Ville Leppänen,et al.  Trading exploits online: A preliminary case study , 2016, 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS).

[8]  Kalle Lyytinen,et al.  The impact of openness on the market potential of multi-sided platforms: a case study of mobile payment platforms , 2015, J. Inf. Technol..

[9]  Chaim Fershtman,et al.  Network Security: Vulnerabilities and Disclosure Policy , 2007, WEIS.

[10]  Ying Zou,et al.  Are tweets useful in the bug fixing process? An empirical study on Firefox and Chrome , 2017, Empirical Software Engineering.

[11]  Muhammad Ali Babar,et al.  Understanding the Heterogeneity of Contributors in Bug Bounty Programs , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[12]  Félix García,et al.  A framework for gamification in software engineering , 2017, J. Syst. Softw..

[13]  Christopher King,et al.  The CERT Guide to Coordinated Vulnerability Disclosure , 2017 .

[14]  Cheng Huang,et al.  A study on Web security incidents in China by analyzing vulnerability disclosure platforms , 2016, Comput. Secur..

[15]  David McKinney New Hurdles for Vulnerability Disclosure , 2008, IEEE Security & Privacy.

[16]  Milton L. Mueller,et al.  Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities , 2014 .

[17]  Stefano Zanero,et al.  XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners , 2016, SEC.

[18]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[19]  Oliver Hinz,et al.  Network effects in two-sided markets: why a 50/50 user split is not necessarily revenue optimal , 2015 .

[20]  Ming Fang,et al.  Discovering buffer overflow vulnerabilities in the wild: an empirical study , 2014, ESEM '14.

[21]  Johan Olaisen,et al.  Working smarter and greener: Collaborative knowledge sharing in virtual global project teams , 2017, Int. J. Inf. Manag..

[22]  Jukka Ruohonen,et al.  Evaluating the use of internet search volumes for time series modeling of sales in the video game industry , 2017, Electronic Markets.

[23]  Zhaohua Deng,et al.  Knowledge sharing motivations in online health communities: A comparative study of health professionals and normal users , 2017, Comput. Hum. Behav..

[24]  Zhao,et al.  Devising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery , 2017, Journal of Information Policy.

[25]  Colin S Gillespie,et al.  Fitting Heavy Tailed Distributions: The poweRlaw Package , 2014, 1407.3492.

[26]  David L. Dowe,et al.  Two decades of Web application testing - A survey of recent advances , 2014, Inf. Syst..

[27]  Ville Leppänen,et al.  Exploring the clustering of software vulnerability disclosure notifications across software vendors , 2016, 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA).

[28]  Marty J. Wolf,et al.  Ethics of the software vulnerabilities and exploits market , 2016, Inf. Soc..

[29]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.

[30]  Tim Ring Why bug hunters are coming in from the wild , 2014 .

[31]  Michel van Eeten,et al.  Patching security governance : an empirical view of emergent governance mechanisms for cybersecurity , 2017 .

[32]  Christopher G. Reddick,et al.  Cybersecurity Innovation in Government: A Case Study of U.S. Pentagon's Vulnerability Reward Program , 2017, DG.O.

[33]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[34]  Ken-ichi Matsumoto,et al.  Towards understanding an open-source bounty: Analysis of Bountysource , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[35]  Rozaida Ghazali,et al.  A survey on bug prioritization , 2017, Artificial Intelligence Review.

[36]  Raghu Kacker,et al.  An Analysis of Vulnerability Trends, 2008-2016 , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[37]  David McKinney Vulnerability Bazaar , 2007, IEEE Security & Privacy.

[38]  Arrah-marie Jo The Effect of Competition Intensity on Software Security-An Empirical Analysis of Security Patch Release on the Web Browser Market , 2017 .

[39]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[40]  Wing Man Wynne Lam,et al.  Attack-prevention and damage-control investments in cybersecurity , 2016, Inf. Econ. Policy.

[41]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[42]  Thomas R. Casey,et al.  Dynamics of two-sided platform success and failure: An analysis of public wireless local area access , 2012 .

[43]  Yang Feng,et al.  Successes, challenges, and rethinking – an industrial investigation on crowdsourced mobile application testing , 2018, Empirical Software Engineering.

[44]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[45]  Yan Li,et al.  Leadership characteristics and developers' motivation in open source software development , 2012, Inf. Manag..

[46]  Wouter Joosen,et al.  Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting , 2017, CCS.

[47]  Sampsa Ruutu,et al.  Development and competition of digital service platforms: A system dynamics approach , 2017 .

[48]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[49]  Jukka Ruohonen,et al.  Classifying Web Exploits with Topic Modeling , 2017, 2017 28th International Workshop on Database and Expert Systems Applications (DEXA).

[50]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[51]  Uldis Ķinis From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (hereinafter - RVDP): The Latvian approach , 2018, Comput. Law Secur. Rev..

[52]  Netsanet Haile,et al.  Value creation in software service platforms , 2016, Future Gener. Comput. Syst..

[53]  Fabio Massacci,et al.  Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned , 2016, IEEE Transactions on Emerging Topics in Computing.

[54]  Ville Leppänen,et al.  Modeling the delivery of security advisories and CVEs , 2017, Comput. Sci. Inf. Syst..

[55]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[56]  Yakov Shafranovich,et al.  A Method for Web Security Policies , 2019 .

[57]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[58]  Jose M. Such,et al.  Information assurance techniques: Perceived cost effectiveness , 2016, Comput. Secur..

[59]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[60]  Kevin Crowston,et al.  Free/Libre open-source software development: What we know and what we do not know , 2012, CSUR.

[61]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.

[62]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[63]  Luca Allodi Economic Factors of Vulnerability Trade and Exploitation: Empirical Evidence from a Prominent Russian Cybercrime Market , 2017, ArXiv.

[64]  Helen J. Wang,et al.  Lightweight server support for browser-based CSRF protection , 2013, WWW.

[65]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[66]  Antal van den Bosch,et al.  Estimating search engine index size variability: a 9-year longitudinal study , 2016, Scientometrics.

[67]  T. Holt Examining the Role of Technology in the Formation of Deviant Subcultures , 2010 .

[68]  Robert F. Mills,et al.  How the Cyber Defense Exercise Shaped an Information-Assurance Curriculum , 2007, IEEE Security & Privacy.

[69]  Aron Laszka,et al.  Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms , 2016, ESORICS.

[70]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[71]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[72]  Mauro de Mesquita Spínola,et al.  The Evolution of the Platform Concept: A Systematic Review , 2016, IEEE Transactions on Engineering Management.