Article Preview
TopIntroduction
Staggering annual cybercrime costs of nearly $600 billion (Gilles, 2014), and ongoing incidents such as 2019 breach at Capital One which affected 100 million users will constantly prompt questions on how to prevent cyberattacks1. At the heart of addressing such concerns is the ability to tackle a unique class of software security vulnerabilities categorized as Zero-day Vulnerabilities (ZDV), often traced to be root cause behind security attacks (McKinney, 2007; Miller, 2007). ZDVs refer to vulnerabilities that remain unknown to vendors and can be exploited by hackers before they are fixed (Radianti, Rich, & Gonzalez, 2009). Lucrative black markets where ZDVs are traded as information goods for downstream exploitation often necessitate that vendors should discover and fix vulnerabilities before an impending attack.
Given such a possibility of harm, vulnerabilities create a “race for access” amongst three actors i.e., buyers, black hat sellers and white hat sellers2. Buyers are either legitimate entities (e.g. software vendors, etc.) or illegal actors (e.g. hackers, black-market brokers, etc.), each with different motives and incentives. Black hats either discover and exploit vulnerabilities or sell them in black markets where these vulnerabilities are used to create exploits, resold downstream or used to blackmail vendors (Denning, 2015). White hats discover and responsibly disclose vulnerabilities to vendors or legitimate intermediaries to earn compensation and to increase their reputation in the security community. Timely actions by white hats can deter misuse by black hats. However, in the absence of disclosure channels, white hats face a dilemma and cannot responsibly report discoveries to vendors. As a result, vendors must initiate mechanisms to collaborate with white hats to notice and fix vulnerabilities before exploitation.
Within this context, Bug Bounty Programs (BBP) are recognized as a legitimate channel for responsible disclosure among white hats, vendors, and intermediaries (Malladi & Subramanian, 2019). BBPs are entering the mainstream cybersecurity toolkits in organizations such as Microsoft, Google, Apple and Tesla. There are more than 300 active BBPs rewarding researchers between $100-$2,50,000 per vulnerability, demonstrating that BBPs are a cost- and time-effective solution to crowdsource vulnerability discovery (Ring, 2014). As seen from Figure 1(a), TippingPoint - a private intermediary received 100 disclosures in 2006 which subsequently increased to 700 disclosures in 20153. Similarly, Figure 1(b) shows data from Bugcrowd platform that 1000 vulnerabilities that were reported in 2013 increased to 100000 disclosures in 2017. Table 1 shows the reward price ranges offered for vulnerabilities by BBP operators.
Figure 1. (a) Tipping Point platform’s growth in rate of disclosures; (b) Bugcrowd’s growth in disclosures4. Dotted line depicts accepted disclosures; straight line depicts total disclosures.
Table 1. Reward ranges offered by firms
Note: Data is from January 2018
Table 2 depicts the representative categories of vulnerabilities that were compensated by four of the leading BBPs5. Several of these categories have resulted in massive cyberattacks (Laszka, Zhao, Malbari, & Grossklags, 2018). For example, a criminal cartel stole confidential data from nearly 420,000 websites using SQL injections amassing 1.2 billion ID credentials6.