An Empirical Study of Bug Bounty Programs

Walshe, Thomas; Simpson, Andrew

doi:10.1109/ibf50092.2020.9034828

Cited by 36 publications

(35 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The idea is that harnessing the wisdom of the crowd is more economically efficient and also results in more discovered bugs. Both claims have been validated empirically, the former by Finifter et al [21] and Walshe and Simpson [63]. and the latter by Maillart et al [42].…”

Section: Bug Bounties and Crowdsourced Securitymentioning

confidence: 95%

Observations From an Online Security Competition and Its Implications on Crowdsourced Security

Cuevas¹,

Hogan²,

Hibshi³

et al. 2022

Preprint

View full text Add to dashboard Cite

The crowd sourced security industry, particularly bug bounty programs, has grown dramatically over the past years and has become the main source of software security reviews for many companies. However, the academic literature has largely omitted security teams, particularly in crowd work contexts. As such, we know very little about how distributed security teams organize, collaborate, and what technology needs they have. We fill this gap by conducting focus groups with the top five teams (out of 18,201 participating teams) of a computer security Capture-the-Flag (CTF) competition. We find that these teams adopted a set of strategies centered on specialties, which allowed them to reduce issues relating to dispersion, double work, and lack of previous collaboration. Observing the current issues of a model centered on individual workers in security crowd work platforms, our study cases that scaling security work to teams is feasible and beneficial. Finally, we identify various areas which warrant future work, such as issues of social identity in high-skilled crowd work environments.

show abstract

Section: Bug Bounties and Crowdsourced Securitymentioning

confidence: 95%

Observations From an Online Security Competition and Its Implications on Crowdsourced Security

Cuevas¹,

Hogan²,

Hibshi³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…We strongly believe that IoT vendors need to foster communication with security researchers, rather than trying to mute them. These collaborations can lead to open specifications and collaborative bug bounties [106]. Third, commercial pressure puts usability before security [107], and any actor who would like to change this process would probably face lower sales than those of its competitors.…”

Section: Perspectives To Improve the Security Of Iot Networkmentioning

confidence: 99%

A survey of IoT protocols and their security issues through the lens of a generic IoT stack

et al. 2021

View full text Add to dashboard Cite

The Internet of things (IoT) is rapidly growing, and many security issues relate to its wireless technology. These security issues are challenging because IoT protocols are heterogeneous, suit different needs, and are used in different application domains. From this assessment, we identify the need to provide a homogeneous formalism applying to every IoT protocols. In this survey, we describe a generic approach with twofold challenges. The first challenge we tackle is the identification of common principles to define a generic approach to compare IoT protocol stack. We base the comparison on five different criteria: the range, the openness of the protocol, the interoperability, the topology and the security practices of these IoT protocols. The second challenge we consider is to find a generic way to describe fundamental IoT attacks regardless of the protocol used. This approach exposes similar attacks amongst different IoT protocols and is divided into three parts: attacks focusing on packets (passive and active cryptographic attacks), attacks focusing on the protocol (MITM, Flooding, Sybil, Spoofing, Wormhole attacks) and attacks focusing on the whole system (Sinkhole, Selective forwarding attacks). It also highlights which mechanisms are different between two protocols to make both of them vulnerable to an attack. Finally, we draw some lessons and perspectives from this transversal study.

show abstract

“…However, with large estates operating a diverse array of technologies, those responsible struggle to identify all possible vulnerabilities. As a result, a growing number of organisations are attempting to harness the power of crowdsourcing through the implementation of a bug bounty program to help combat this problem (Walshe and Simpson, 2020).…”

Section: Introductionmentioning

confidence: 99%

“…The past decade has seen the rapid adoption, development and maturity of bug bounty programs across a variety of organisations and sectors (Walshe and Simpson, 2020). Organisations such as Google and Dropbox have adopted bug bounty programs, with the latter surpassing $1 million in payouts on the HackerOne platform, while the former rewarded $6.5 million in 2019, and over $21 million since its inception (Team, 2020;Google, 2020).…”

Section: Introductionmentioning

confidence: 99%

Proposal of a Novel Bug Bounty Implementation Using Gamification

O'Hare¹,

Shepherd²

2020

Preprint

View full text Add to dashboard Cite

Despite significant popularity, the bug bounty process has remained broadly unchanged since its inception, with limited implementation of gamification aspects. Existing literature recognises that current methods generate intensive resource demands, and can encounter issues impacting program effectiveness. This paper proposes a novel bug bounty process aiming to alleviate resource demands and mitigate inherent issues. Through the additional crowdsourcing of report verification where fellow hackers perform vulnerability verification and reproduction, the client organisation can reduce overheads at the cost of rewarding more participants. The incorporation of gamification elements provides a substitute for monetary rewards, as well as presenting possible mitigation of bug bounty program effectiveness issues. Collectively, traits of the proposed process appear appropriate for resource and budget-constrained organisations -such Higher Education institutions.

show abstract

An Empirical Study of Bug Bounty Programs

Cited by 36 publications

References 18 publications

Observations From an Online Security Competition and Its Implications on Crowdsourced Security

Observations From an Online Security Competition and Its Implications on Crowdsourced Security

A survey of IoT protocols and their security issues through the lens of a generic IoT stack

Proposal of a Novel Bug Bounty Implementation Using Gamification

Contact Info

Product

Resources

About