Proposal of a Novel Bug Bounty Implementation Using Gamification

Despite significant popularity, the bug bounty process has remained broadly unchanged since its inception, with limited implementation of gamification aspects. Existing literature recognises that current methods generate intensive resource demands, and can encounter issues impacting program effectiveness. This paper proposes a novel bug bounty process aiming to alleviate resource demands and mitigate inherent issues. Through the additional crowdsourcing of report verification where fellow hackers perform vulnerability verification and reproduction, the client organisation can reduce overheads at the cost of rewarding more participants. The incorporation of gamification elements provides a substitute for monetary rewards, as well as presenting possible mitigation of bug bounty program effectiveness issues. Collectively, traits of the proposed process appear appropriate for resource and budget-constrained organisations - such Higher Education institutions.

[1]  David R. Michael,et al.  Serious Games: Games That Educate, Train, and Inform , 2005 .

[2]  Thomas Zimmermann,et al.  Towards the next generation of bug tracking systems , 2008, 2008 IEEE Symposium on Visual Languages and Human-Centric Computing.

[3]  Per M. Gustavsson,et al.  Gamified Training for Cyber Defence : Methods and Automated Tools for Situation and Threat Assessment , 2013 .

[4]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[5]  Alexandru Iosup,et al.  An experience report on using gamification in technical higher education , 2014, SIGCSE.

[6]  Carlos Delgado Kloos,et al.  Gamification for Engaging Computer Science Students in Learning Activities: A Case Study , 2014, IEEE Transactions on Learning Technologies.

[7]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[8]  Katharina Emmerich,et al.  Applied Games - In Search of a New Definition , 2015, ICEC.

[9]  Jen-Yi Pan,et al.  Crowdsourcing platform for collaboration management in vulnerability verification , 2016, 2016 18th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[10]  Aron Laszka,et al.  Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs , 2016 .

[11]  Leandros A. Maglaras,et al.  Using Gamification to Raise Awareness of Cyber Threats to Critical National Infrastructure , 2016, ICS-CSR.

[12]  Aron Laszka,et al.  Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms , 2016, ESORICS.

[13]  Zhao,et al.  Devising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery , 2017, Journal of Information Policy.

[14]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[15]  Elena Paslaru Bontas Simperl,et al.  Web Science Challenges in Researching Bug Bounties , 2017, WebSci.

[16]  Muhammad Ali Babar,et al.  Understanding the Heterogeneity of Contributors in Bug Bounty Programs , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[17]  Anson Pellissier Report an incident , 2018 .

[18]  Aron Laszka,et al.  The Rules of Engagement for Bug Bounty Programs , 2018, Financial Cryptography.

[19]  Elizabeth A. Cudney,et al.  Gamified learning in higher education: A systematic review of the literature , 2018, Comput. Hum. Behav..

[20]  Elissa M. Redmiles,et al.  Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[21]  Lalit Mohan Sanagavarapu,et al.  Crowdsourcing Security - Opportunities and Challenges , 2018, 2018 IEEE/ACM 11th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE).

[22]  Jukka Ruohonen,et al.  A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities , 2018, ArXiv.

[23]  Gang Wang,et al.  Understanding the Reproducibility of Crowd-reported Security Vulnerabilities , 2018, USENIX Security Symposium.

[24]  Elisa Bertino,et al.  Friendly Hackers to the Rescue: How Organizations Perceive Crowdsourced Vulnerability Discovery , 2018, PACIS.

[25]  Lennart E. Nacke,et al.  Empirical validation of the Gamification User Types Hexad scale in English and Spanish , 2019, Int. J. Hum. Comput. Stud..

[26]  Lynsay A. Shepherd,et al.  Gamification Techniques for Raising Cyber Security Awareness , 2019, HCI.

[27]  Suresh Siva Malladi,et al.  Bug Bounty Programs for Cybersecurity: Practices, Issues, and Recommendations , 2020, IEEE Software.

[28]  Noura Alomar,et al.  "You've Got Your Nice List of Bugs, Now What?" Vulnerability Discovery and Management Processes in the Wild , 2020, SOUPS @ USENIX Security Symposium.

[29]  Thomas Walshe,et al.  An Empirical Study of Bug Bounty Programs , 2020, 2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF).