Johannes Wachs

DOI: https://doi.org/10.48550/arXiv.2204.06905

2022-04-14

Abstract:Security is an essential cornerstone of functioning digital marketplaces and communities. If users doubt that data shared online will remain secure, they will withdraw from platforms. Even when firms take these risks seriously, security expertise is expensive and vulnerabilities are diverse in nature. Increasingly, firms and governments are turning to bug bounty programs (BBPs) to crowdsource their cybersecurity, in which they pay individuals for reporting vulnerabilities in their systems. And while the use of BBPs has grown significantly in recent years, research on the actors in this market and their incentives remains limited. Using the lens of transaction cost economics, this paper examines the incentives of firms and researchers (sometimes called hackers) participating in BBPs. We study the crucial role that centralized platforms that organize BBPs play in this emerging market. We carry out an analysis of the HackerOne BBP platform, using a novel dataset on over 14,000 researchers reporting over 125,000 public vulnerabilities to over 500 firms from 2014 to the end of 2021. We outline how platforms like HackerOne make a market for information security vulnerabilities by reducing information asymmetries and their associated transaction costs.

Cryptography and Security,Social and Information Networks

Esther Gal-Or,Muhammad Zia Hydari,Rahul Telang

2024-04-26

Abstract:Software vulnerabilities enable exploitation by malicious hackers, compromising systems and data security. This paper examines bug bounty programs (BBPs) that incentivize ethical hackers to discover and responsibly disclose vulnerabilities to software vendors. Using game-theoretic models, we capture the strategic interactions between software vendors, ethical hackers, and malicious hackers. First, our analysis shows that software vendors can increase expected profits by participating in BBPs, explaining their growing adoption and the success of BBP platforms. Second, we find that vendors with BBPs will release software earlier, albeit with more potential vulnerabilities, as BBPs enable coordinated vulnerability disclosure and mitigation. Third, the optimal number of ethical hackers to invite to a BBP depends solely on the expected number of malicious hackers seeking exploitation. This optimal number of ethical hackers is lower than but increases with the expected malicious hacker count. Finally, higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers. These findings highlight BBPs' potential benefits for vendors beyond profitability. Earlier software releases are enabled by managing risks through coordinated disclosure. As cybersecurity threats evolve, BBP adoption will likely gain momentum, providing vendors with a valuable tool for enhancing security posture and stakeholder trust. Moreover, BBPs envelop vulnerability identification and disclosure into new market relationships and transactions, impacting software vendors' incentives regarding product security choices like release timing.

Cryptography and Security,Computer Science and Game Theory,General Economics

Thomas Maillart,Mingyi Zhao,Jens Grossklags,John Chuang

DOI: https://doi.org/10.1093/cybsec/tyx008

2017-06-01

Journal of Cyber Security

Abstract:Bug bounty programs offer a modern way for organizations to crowdsource their software security, and for security researchers to be fairly rewarded for the vulnerabilities they find. However, little is known on the incentives set by bug bounty programs – how they drive engagement and new bug discoveries. This article provides an empirical investigation of the strategic interactions among the managers and participants of bug bounty programs, as well as the intermediation by bug bounty platforms. We find that for a given bug bounty program, each security researcher can only expect to discover a bounded number of bugs. This result offers a validation step to a theory brought forth early on by Brady et al. This theory proposes that each security researcher inspecting a piece of software offers a unique environment of skills and mindset, which is amenable to the discovery of bugs that others may not be able to uncover. Bug bounty programs indeed benefit from the engagement of large crowds of researchers. Conversely, security researchers benefit greatly from searching for bugs in multiple bug bounty programs. However, we find that following a strong front-loading effect, newly launched programs attract researchers at the expense of older programs: the probability of finding bugs decays as ∼1/t0.4 after the launch of a program, even though bugs found later yield on average higher rewards. Our results lead us to formulate three recommendations for organizing bug bounty programs and platforms: (i) organize enrollment, mobility, and renewal of security researchers across bounty programs, (ii) highlight and organize programs for front-loading, and (iii) organize fluid market transactions to reduce uncertainty and thus reduce incentives for security researchers to sell on the black market.

English Else

Jukka Ruohonen,Luca Allodi

DOI: https://doi.org/10.48550/arXiv.1805.09850

2018-05-25

Abstract:Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.

Cryptography and Security,Computers and Society,Software Engineering

Soodeh Atefi,Amutheezan Sivagnanam,Afiya Ayman,Jens Grossklags,Aron Laszka

DOI: https://doi.org/10.48550/arXiv.2301.12092

2023-02-24

Abstract:Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). Nonetheless, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on the properties of the reported vulnerabilities, such as severity or exploitability. However, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors.

Cryptography and Security

Feodosiy Kipchuk,Volodymyr Sokolov

DOI: https://doi.org/10.28925/2663-4023.2023.22.6883

2023-01-01

Abstract:The article describes the ways of researching bug bounties of programs and proposes a new approach for calculating the score of the found vulnerabilities. The paper begins with an introduction to the understanding of vulnerability management processes and the concept of an attack surface. The paper analyzes the statistics of all vulnerabilities found in information systems over the past ten years, which are divided according to the standard CVSS score. The types and vectors of attacks are analyzed in the example of the financial sector. Additionally, hacking and incidents are categorized by attack vectors in the financial sector. The following is the ratio of the most popular types and vectors of attacks to the criticality of information systems. A rating of critical and high vulnerabilities of one of the bug bounty platforms is presented with a detailed description of the types of attacks and exploitation techniques. An integral part of the vulnerability management process is the categorization of importance and impact on the organization. Possible life cycle scenarios for the identified vulnerability in an information system are also presented through the eyes of the owner of the vulnerability information and the owner of such an information system. A comparative quantitative and qualitative analysis of the maturity of bug bounty programs from the moment of launch and over the years, as well as the factors influencing the maturity of the program, are carried out. The statistics of vulnerabilities found in public bug bounty programs over the past six years are analyzed. The author proposes her approach to calculating the effective cost of a bug bounty program and conducts an experimental test on three programs. The factors influencing the calculation of the effective cost of vulnerabilities are highlighted. Approaches to vulnerability assessment and validation by bug bounty platforms and the stages of arbitration between the owner of the information system and the vulnerability researcher are considered. The study concludes with recommendations for achieving a higher level of maturity in vulnerability management processes. The forging highlights the continuity of the emergence and disappearance of additional factors in vulnerability management processes, in which bug bounty programs are an integral part. The interdependence of the maturity of the company’s processes and its bug bounty program requires the attraction of sufficient resources for its effectiveness.

Jessy Ayala,Steven Ngo,Joshua Garcia

2024-09-12

Abstract:Researchers have investigated the bug bounty ecosystem from the lens of platforms, programs, and bug hunters. Understanding the perspectives of bug bounty report reviewers, especially those who historically lack a security background and little to no funding for bug hunters, is currently understudied. In this paper, we primarily investigate the perspective of open-source software (OSS) maintainers who have used \texttt{huntr}, a bug bounty platform that pays bounties to bug hunters who find security bugs in GitHub projects and have had valid vulnerabilities patched as a result. We address this area by conducting three studies: identifying characteristics through a listing survey ($n_1=51$), their ranked importance with Likert-scale survey data ($n_2=90$), and conducting semi-structured interviews to dive deeper into real-world experiences ($n_3=17$). As a result, we categorize 40 identified characteristics into benefits, challenges, helpful features, and wanted features. We find that private disclosure and project visibility are the most important benefits, while hunters focused on money or CVEs and pressure to review are the most challenging to overcome. Surprisingly, lack of communication with bug hunters is the least challenging, and CVE creation support is the second-least helpful feature for OSS maintainers when reviewing bug bounty reports. We present recommendations to make the bug bounty review process more accommodating to open-source maintainers and identify areas for future work.

Software Engineering,Cryptography and Security

Hans Gersbach,Fikri Pitsuwan,Pio Blieske

DOI: https://doi.org/10.48550/arXiv.2403.09484

2024-03-14

Abstract:Bug bounty programs, where external agents are invited to search and report vulnerabilities (bugs) in exchange for rewards (bounty), have become a major tool for companies to improve their systems. We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. Using a model of crowdsearch, we identify the efficiency gains by artificial bugs, and we show that for this, it is sufficient to insert only one artificial bug. Artificial bugs are particularly beneficial, for instance, if the designer places high valuations on finding organic bugs or if the budget for bounty is not sufficiently high. We discuss how to implement artificial bugs and outline their further benefits.

Theoretical Economics,Cryptography and Security

Kamil Malinka,Anton Firc,Pavel Loutocký,Jakub Vostoupal,Andrej Krištofík,František Kasl

DOI: https://doi.org/10.1145/3649217.3653633

2024-04-18

Abstract:To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.

Cryptography and Security

Zahid Maqbool,Nidhi Makhijani,V S Chandrasekhar Pammi,Varun Dutt

DOI: https://doi.org/10.1177/0018720816681888

Abstract:Objective: The aim of this study was to determine how monetary motivations influence decision making of humans performing as security analysts and hackers in a cybersecurity game. Background: Cyberattacks are increasing at an alarming rate. As cyberattacks often cause damage to existing cyber infrastructures, it is important to understand how monetary rewards may influence decision making of hackers and analysts in the cyber world. Currently, only limited attention has been given to this area. Method: In an experiment, participants were randomly assigned to three between-subjects conditions ( n = 26 for each condition): equal payoff, where the magnitude of monetary rewards for hackers and defenders was the same; rewarding hacker, where the magnitude of monetary reward for hacker's successful attack was 10 times the reward for analyst's successful defense; and rewarding analyst, where the magnitude of monetary reward for analyst's successful defense was 10 times the reward for hacker's successful attack. In all conditions, half of the participants were human hackers playing against Nash analysts and half were human analysts playing against Nash hackers. Results: Results revealed that monetary rewards for human hackers and analysts caused a decrease in attack and defend actions compared with the baseline. Furthermore, rewarding human hackers for undetected attacks made analysts deviate significantly from their optimal behavior. Conclusions: If hackers are rewarded for their undetected attack actions, then this causes analysts to deviate from optimal defend proportions. Thus, analysts need to be trained not become overenthusiastic in defending networks. Application: Applications of our results are to networks where the influence of monetary rewards may cause information theft and system damage.

Zhuo Zhang,Brian Zhang,Wen Xu,Zhiqiang Lin

DOI: https://doi.org/10.1109/icse48619.2023.00061

2023-01-01

Abstract:Exploitable bugs in smart contracts have caused significant monetary loss. Despite the substantial advances in smart contract bug finding, exploitable bugs and real-world attacks are still trending. In this paper we systematically investigate 516 unique real-world smart contract vulnerabilities in years 2021-2022, and study how many can be exploited by malicious users and cannot be detected by existing analysis tools. We further categorize the bugs that cannot be detected by existing tools into seven types and study their root causes, distributions, difficulties to audit, consequences, and repair strategies. For each type, we abstract them to a bug model (if possible), facilitating finding similar bugs in other contracts and future automation. We leverage the findings in auditing real world smart contracts, and so far we have been rewarded with $102,660 bug bounties for identifying 15 critical zero-day exploitable bugs, which could have caused up to $22.52 millions monetary loss if exploited.

Jiayuan Zhou,Shaowei Wang,Cor-Paul Bezemer,Ying Zou,Ahmed E. Hassan

DOI: https://doi.org/10.48550/arXiv.1904.02724

2019-04-05

Abstract:Due to the voluntary nature of open source software, it can be hard to find a developer to work on a particular task. For example, some issue reports may be too cumbersome and unexciting for someone to volunteer to do them, yet these issue reports may be of high priority to the success of a project. To provide an incentive for implementing such issue reports, one can propose a monetary reward, i.e., a bounty, to the developer who completes that particular task. In this paper, we study bounties in open source projects on GitHub to better understand how bounties can be leveraged to evolve such projects in terms of addressing issue reports. We investigated 5,445 bounties for GitHub projects. These bounties were proposed through the Bountysource platform with a total bounty value of $406,425. We find that 1) in general, the timing of proposing bounties and the bounty-usage frequency are the most important factors that impact the likelihood of an issue being addressed. More specifically, issue reports are more likely to be addressed if they are for projects in which bounties are used more frequently and if they are proposed earlier. 2) The bounty value that an issue report has is the most important factor that impacts the issue-addressing likelihood in the projects in which no bounties were used before. Backers in such projects proposed higher bounty values to get issues addressed. 3) There is a risk of wasting money for backers who invest money on long-standing issue reports.

Software Engineering

Luca Allodi

DOI: https://doi.org/10.1145/3133956.3133960

2017-10-30

Abstract:Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.

Alejandro Cuevas,Emma Hogan,Hanan Hibshi,Nicolas Christin

DOI: https://doi.org/10.48550/arXiv.2204.12601

2022-04-27

Abstract:The crowd sourced security industry, particularly bug bounty programs, has grown dramatically over the past years and has become the main source of software security reviews for many companies. However, the academic literature has largely omitted security teams, particularly in crowd work contexts. As such, we know very little about how distributed security teams organize, collaborate, and what technology needs they have. We fill this gap by conducting focus groups with the top five teams (out of 18,201 participating teams) of a computer security Capture-the-Flag (CTF) competition. We find that these teams adopted a set of strategies centered on specialties, which allowed them to reduce issues relating to dispersion, double work, and lack of previous collaboration. Observing the current issues of a model centered on individual workers in security crowd work platforms, our study cases that scaling security work to teams is feasible and beneficial. Finally, we identify various areas which warrant future work, such as issues of social identity in high-skilled crowd work environments.

Cryptography and Security,Human-Computer Interaction

Nicholas Boucher,Ross Anderson

DOI: https://doi.org/10.48550/arXiv.2209.10717

2022-09-22

Cryptography and Security

Abstract:While vulnerability research often focuses on technical findings and post-public release industrial response, we provide an analysis of the rest of the story: the coordinated disclosure process from discovery through public release. The industry-wide 'Trojan Source' vulnerability which affected most compilers, interpreters, code editors, and code repositories provided an interesting natural experiment, enabling us to compare responses by firms versus nonprofits and by firms that managed their own response versus firms that outsourced it. We document the interaction with bug bounty programs, government disclosure assistance, academic peer review, and press coverage, among other topics. We compare the response to an attack on source code with the response to a comparable attack on NLP systems employing machine-learning techniques. We conclude with recommendations to improve the global coordinated disclosure system.

Xinli Yang,David Lo,Qiao Huang,Xin Xia,Jianling Sun

DOI: https://doi.org/10.1109/compsac.2016.67

2016-01-01

Abstract:In practice, some bugs have more impact than others and thus deserve more immediate attention. Due to tight schedule and limited human resource, developers may not have enough time to inspect all bugs. Thus, they often concentrate on bugs that are highly impactful. In the literature, high impact bugs are used to refer to the bugs which appear in unexpected time or locations and bring more unexpected effects, or break pre-existing functionalities and destroy the user experience. Unfortunately, identifying high impact bugs from the thousands of bug reports in a bug tracking system is not an easy feat. Thus, an automated technique that can identify high-impact bug reports can help developers to be aware of them early, rectify them quickly, and minimize the damages they cause. Considering that only a small proportion of bugs are high impact bugs, the identification of high impact bug reports is a difficult task. In this paper, we propose an approach to identify high impact bug reports by leveraging imbalanced learning strategies. We investigate the effectiveness of various imbalanced learning strategies built upon a number of well-known classification algorithms. In particular, we choose four widely used strategies for dealing with imbalanced data and use naive Bayes multinominal as the classification algorithm to conduct experiments on four datasets from four different open source projects. We perform an empirical study on a specific type of high impact bugs, i.e., surprise bugs, which were first studied by Shihab et al. The results show that under-sampling is the best imbalanced learning strategy with naive Bayes multinominal for high impact bug identification.

Mingyu Guo,Hideaki Hata,Ali Babar

DOI: https://doi.org/10.48550/arXiv.2006.14184

2020-06-25

Abstract:Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.

Computer Science and Game Theory

Mohammadreza Hazhirpasand,Mohammad Ghafari

DOI: https://doi.org/10.48550/arXiv.2111.03859

2021-11-06

Abstract:Previous studies have shown that cryptography is hard for developers to use and misusing cryptography leads to severe security vulnerabilities. We studied relevant vulnerability reports on the HackerOne bug bounty platform to understand what types of cryptography vulnerabilities exist in the wild. We extracted eight themes of vulnerabilities from the vulnerability reports and discussed their real-world implications and mitigation strategies. We hope that our findings alert developers, familiarize them with the dire consequences of cryptography misuses, and support them in avoiding such mistakes.

Cryptography and Security

Ravi Sen,Ajay Verma,Gregory R. Heim

DOI: https://doi.org/10.1080/07421222.2019.1705511

IF: 7.582

2020-01-02

Journal of Management Information Systems

Abstract:The number of malicious hacking incidents in our increasingly IT-enabled world has been increasing over the years. Conventional wisdom focuses on negative impacts of these malicious hacker activities. We posit that malicious hacker activities also might lead to some unintended consequences, specifically related to altering of software market structure, and associated stakeholder consequences. In this study, we model the competition between two software platforms in the presence of malicious hackers who perform cyberattacks against one or both software platforms. We compare a benchmark case where malicious hackers are either absent, or if present do not target the software platforms, against a first scenario where only one software platform is targeted, and a second scenario where both software platforms are targeted. Interestingly, we find the presence of malicious hackers' activities is not always detrimental to all software industry stakeholders. In general, the results suggest that the presence of malicious hackers is more likely to result in a competitive market, while their absence is more likely to result in a monopoly. Furthermore, we show that under certain market conditions, the unsecure software platform targeted by hackers potentially can drive its more secure competitor out of the market.

information science & library science,management,computer science, information systems

Joey Ah-kiow,Benjamin Tan

2024-02-01

Abstract:Hardware security is an important concern of system security as vulnerabilities can arise from design errors introduced throughout the development lifecycle. Recent works have proposed techniques to detect hardware security bugs, such as static analysis, fuzzing, and symbolic execution. However, the fundamental properties of hardware security bugs remain relatively unexplored. To gain a better understanding of hardware security bugs, we perform a deep dive into the popular OpenTitan project, including its bug reports and bug fixes. We manually classify the bugs as relevant to functionality or security and analyze characteristics, such as the impact and location of security bugs, and the size of their bug fixes. We also investigate relationships between security impact and bug management during development. Finally, we propose an abstract syntax tree-based analysis to identify the syntactic characteristics of bug fixes. Our results show that 53% of the bugs in OpenTitan have potential security implications and that 55% of all bug fixes modify only one file. Our findings underscore the importance of security-aware development practices and tools and motivate the development of techniques that leverage the highly localized nature of hardware bugs.

Cryptography and Security