An Empirical Study of Bug Bounty Programs

被引：0

作者：

Walshe, Thomas ^{[1
]}

Simpson, Andrew ^{[1
]}

机构：

[1] Univ Oxford, Dept Comp Sci, Oxford, England

来源：

PROCEEDINGS OF THE 2020 IEEE 2ND INTERNATIONAL WORKSHOP ON INTELLIGENT BUG FIXING (IBF '20) | 2020年

关键词：

Bug bounty programs; vulnerability disclosure; software security;

D O I：

10.1109/ibf50092.2020.9034828

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

The task of identifying vulnerabilities is commonly outsourced to hackers participating in bug bounty programs. As of July 2019, bug bounty platforms such as HackerOne have over 200 publicly listed programs, with programs listed on HackerOne being responsible for the discovery of tens of thousands of vulnerabilities since 2013. We report the results of an empirical analysis that was undertaken using the data available from two bug bounty platforms to understand the costs and benefits of bug bounty programs both to participants and to organisations. We consider the economics of bug bounty programs, investigating the costs and benefits to those running such programs and the hackers that participate in finding vulnerabilities. We find that the average cost of operating a bug bounty program for a year is now less than the cost of hiring two additional software engineers.

引用

页码：35 / 44

页数：10

共 50 条

[1] Bug Bounty Programs - a Mapping Study
Magazinius, Ana
Mellegard, Niklas
Olsson, Linda
[J]. 2019 45TH EUROMICRO CONFERENCE ON SOFTWARE ENGINEERING AND ADVANCED APPLICATIONS (SEAA 2019), 2019, : 412 - 415
[2] The Rules of Engagement for Bug Bounty Programs
Laszka, Aron
Zhao, Mingyi
Malbari, Akash
Grossklags, Jens
[J]. FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, FC 2018, 2018, 10957 : 138 - 159
[3] Understanding the Heterogeneity of Contributors in Bug Bounty Programs
Hata, Hideaki
Guo, Mingyu
Babar, M. Ali
[J]. 11TH ACM/IEEE INTERNATIONAL SYMPOSIUM ON EMPIRICAL SOFTWARE ENGINEERING AND MEASUREMENT (ESEM 2017), 2017, : 223 - 228
[4] Bug Bounty Programs for Cybersecurity: Practices, Issues, and Recommendations
Malladi, Suresh S.
Subramanian, Hemang C.
[J]. IEEE SOFTWARE, 2020, 37 (01) : 31 - 39
[5] Security Professional Skills Representation in Bug Bounty Programs and Processes
Mumtaz, Sara
Rodriguez, Carlos
Zamanirad, Shayan
[J]. SERVICE-ORIENTED COMPUTING, ICSOC 2020, 2021, 12632 : 334 - 348
[6] What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping Study
Magazinius, Ana
Mellegard, Niklas
Olsson, Linda
[J]. SOCIO-TECHNICAL ASPECTS IN SECURITY AND TRUST, STAST 2019, 2021, 11739 : 89 - 106
[7] Navigating vulnerability markets and bug bounty programs: A public policy perspective
Zrahia, Aviram
[J]. INTERNET POLICY REVIEW, 2024, 13 (01):
[8] Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure: An Empirical Analysis
Subramanian, Hemang Chamakuzhi
Malladi, Suresh
[J]. JOURNAL OF DATABASE MANAGEMENT, 2020, 31 (01) : 38 - 63
[9] Optimizing Bug Bounty Programs for Efficient Malware-Related Vulnerability Discovery
Yulianto, Semi
Soewito, Benfano
Gaol, Ford Lumban
Kurniawan, Aditya
[J]. INTERNATIONAL JOURNAL OF ADVANCED COMPUTER SCIENCE AND APPLICATIONS, 2024, 15 (04) : 291 - 299
[10] Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of HackerOne and Google Vulnerability Research
Luna, Donatello
Allodi, Luca
Cremonini, Marco
[J]. 14TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2019), 2019,

← 1 2 3 4 5 →