Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure: An Empirical Analysis

Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure: An Empirical Analysis

Hemang Chamakuzhi Subramanian (Florida International University, Miami, USA) and Suresh Malladi (Cybersecurity Researcher & Consultant, Fayetteville, USA)
Copyright: © 2020 |Pages: 26
DOI: 10.4018/JDM.2020010103

Abstract

Cybercrime caused by exploited vulnerabilities bears a huge burden on societies. Most of these vulnerabilities are detectable, and the damage is preventable if software vendors and firms that deploy such software adopt right practices. Bug Bounty Programs (BBPs) by vendors and intermediaries are one of the most important creations in recent years, that helps software vendors to create marketplaces and to detect and prevent such exploits. This article develops the theory of BBPs and present a typology of BBPs using established theories of incentive compatibility and mechanism design. The authors empirically analyze the market creation function of BBPs using granular data from two different types of BBPs on a popular intermediary platform. The research findings suggest that BBPs are valuable opportunities to source vulnerabilities in software; nevertheless, the rate of disclosure and hacker participation marginally increases with vendor's rewards and other incentives. Similarly, the results show that security researchers are motivated to contribute to BBPs that offer higher remuneration and not just those programs with a higher likelihood for bug discovery. Our findings will help researchers and practitioners in information security and allied domains to develop a theoretical and empirical perspective of BBPs, and their usefulness to curb incidents of cybercrime.
Article Preview
Top

Introduction

Staggering annual cybercrime costs of nearly $600 billion (Gilles, 2014), and ongoing incidents such as 2019 breach at Capital One which affected 100 million users will constantly prompt questions on how to prevent cyberattacks1. At the heart of addressing such concerns is the ability to tackle a unique class of software security vulnerabilities categorized as Zero-day Vulnerabilities (ZDV), often traced to be root cause behind security attacks (McKinney, 2007; Miller, 2007). ZDVs refer to vulnerabilities that remain unknown to vendors and can be exploited by hackers before they are fixed (Radianti, Rich, & Gonzalez, 2009). Lucrative black markets where ZDVs are traded as information goods for downstream exploitation often necessitate that vendors should discover and fix vulnerabilities before an impending attack.

Given such a possibility of harm, vulnerabilities create a “race for access” amongst three actors i.e., buyers, black hat sellers and white hat sellers2. Buyers are either legitimate entities (e.g. software vendors, etc.) or illegal actors (e.g. hackers, black-market brokers, etc.), each with different motives and incentives. Black hats either discover and exploit vulnerabilities or sell them in black markets where these vulnerabilities are used to create exploits, resold downstream or used to blackmail vendors (Denning, 2015). White hats discover and responsibly disclose vulnerabilities to vendors or legitimate intermediaries to earn compensation and to increase their reputation in the security community. Timely actions by white hats can deter misuse by black hats. However, in the absence of disclosure channels, white hats face a dilemma and cannot responsibly report discoveries to vendors. As a result, vendors must initiate mechanisms to collaborate with white hats to notice and fix vulnerabilities before exploitation.

Within this context, Bug Bounty Programs (BBP) are recognized as a legitimate channel for responsible disclosure among white hats, vendors, and intermediaries (Malladi & Subramanian, 2019). BBPs are entering the mainstream cybersecurity toolkits in organizations such as Microsoft, Google, Apple and Tesla. There are more than 300 active BBPs rewarding researchers between $100-$2,50,000 per vulnerability, demonstrating that BBPs are a cost- and time-effective solution to crowdsource vulnerability discovery (Ring, 2014). As seen from Figure 1(a), TippingPoint - a private intermediary received 100 disclosures in 2006 which subsequently increased to 700 disclosures in 20153. Similarly, Figure 1(b) shows data from Bugcrowd platform that 1000 vulnerabilities that were reported in 2013 increased to 100000 disclosures in 2017. Table 1 shows the reward price ranges offered for vulnerabilities by BBP operators.

Figure 1.

(a) Tipping Point platform’s growth in rate of disclosures; (b) Bugcrowd’s growth in disclosures4. Dotted line depicts accepted disclosures; straight line depicts total disclosures.

JDM.2020010103.f01
Table 1.
Reward ranges offered by firms
JDM.2020010103.g01

Note: Data is from January 2018

Table 2 depicts the representative categories of vulnerabilities that were compensated by four of the leading BBPs5. Several of these categories have resulted in massive cyberattacks (Laszka, Zhao, Malbari, & Grossklags, 2018). For example, a criminal cartel stole confidential data from nearly 420,000 websites using SQL injections amassing 1.2 billion ID credentials6.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 31: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 30: 4 Issues (2019)
Volume 29: 4 Issues (2018)
Volume 28: 4 Issues (2017)
Volume 27: 4 Issues (2016)
Volume 26: 4 Issues (2015)
Volume 25: 4 Issues (2014)
Volume 24: 4 Issues (2013)
Volume 23: 4 Issues (2012)
Volume 22: 4 Issues (2011)
Volume 21: 4 Issues (2010)
Volume 20: 4 Issues (2009)
Volume 19: 4 Issues (2008)
Volume 18: 4 Issues (2007)
Volume 17: 4 Issues (2006)
Volume 16: 4 Issues (2005)
Volume 15: 4 Issues (2004)
Volume 14: 4 Issues (2003)
Volume 13: 4 Issues (2002)
Volume 12: 4 Issues (2001)
Volume 11: 4 Issues (2000)
Volume 10: 4 Issues (1999)
Volume 9: 4 Issues (1998)
Volume 8: 4 Issues (1997)
Volume 7: 4 Issues (1996)
Volume 6: 4 Issues (1995)
Volume 5: 4 Issues (1994)
Volume 4: 4 Issues (1993)
Volume 3: 4 Issues (1992)
Volume 2: 4 Issues (1991)
Volume 1: 2 Issues (1990)
View Complete Journal Contents Listing