Bug Bounty Programs – A Mapping Study

This paper describes a mapping study designed to investigate the available research on bug bounty programs (BBP). Based on the 72 identified papers we conclude that the research has been focused on the organisation of bug bounties from the product owner perspective, rather than on bug hunters and the market for bugs. To understand BBPs better, in addition to the open datasets available today, datasets from more diverse types of companies (e.g. safety critical systems) should be added, and more in-depth qualitative studies conducted.

[1]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[2]  Muhammad Ali Babar,et al.  Revenue Maximizing Markets for Zero-Day Exploits , 2016, PRIMA.

[3]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[4]  Ville Leppänen,et al.  Exploring the clustering of software vulnerability disclosure notifications across software vendors , 2016, 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA).

[5]  George Mangalaraj,et al.  Software Vulnerability Disclosure and its Impact on Exploitation: An Empirical Study , 2005, AMCIS.

[6]  Christopher G. Reddick,et al.  Crowdsourced cybersecurity innovation: The case of the Pentagon's vulnerability reward program , 2018, Inf. Polity.

[7]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[8]  Kai Petersen,et al.  Guidelines for conducting systematic mapping studies in software engineering: An update , 2015, Inf. Softw. Technol..

[9]  Elena Paslaru Bontas Simperl,et al.  Web Science Challenges in Researching Bug Bounties , 2017, WebSci.

[10]  M. Govindarasu,et al.  Cyber vulnerability disclosure policies for the smart grid , 2012, 2012 IEEE Power and Energy Society General Meeting.

[11]  Muhammad Ali Babar,et al.  Understanding the Heterogeneity of Contributors in Bug Bounty Programs , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[12]  Cheng Huang,et al.  A study on Web security incidents in China by analyzing vulnerability disclosure platforms , 2016, Comput. Secur..

[13]  Marty J. Wolf,et al.  Ethics of the software vulnerabilities and exploits market , 2016, Inf. Soc..

[14]  J. Alex Halderman,et al.  Ethical Issues in E-Voting Security Analysis , 2011, Financial Cryptography Workshops.

[15]  Aron Laszka,et al.  Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs , 2016 .

[16]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[17]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[18]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[19]  Christopher G. Reddick,et al.  Cybersecurity Innovation in Government: A Case Study of U.S. Pentagon's Vulnerability Reward Program , 2017, DG.O.

[20]  Alfonso De Gregorio Vulnerabilities and their surrounding ethical questions: a code of ethics for the private sector , 2016, 2016 International Conference on Cyber Conflict (CyCon U.S.).

[21]  Rahul Telang,et al.  Economics of software vulnerability disclosure , 2005, IEEE Security & Privacy.