What is it about?
Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). Nonetheless, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on the properties of the reported vulnerabilities, such as severity or exploitability. However, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors.
Featured Image
Photo by FLY:D on Unsplash
Why is it important?
Bug-bounty programs provide unique benefits by allowing organizations to publicly signal their commitment to security and to harness the diverse expertise of thousands of security experts in an affordable way. Despite their rapidly growing popularity, bug-bounty programs are not well understood and can be mismanaged. As a result, bug bounty programs can waste substantial resources and they rarely live up to their potential to improve cybersecurity.
Perspectives
Bug-bounty programs may benefit from incentivizing external hunters to focus more on development releases since the temporal clustering in stable releases suggest that some vulnerabilities that are relatively easy to find are not discovered during development. Similarly, programs may benefit from incentivizing hunters to focus more on the types of vulnerabilities that are likely to be exploited by threat actors. Our analysis offers another important facet for the management of bug-bounty programs. Conducting the work to identify a vulnerability and filing a comprehensive report is a time-consuming matter. However, duplicate reports are typically not rewarded. As such, our work may provide guidance regarding how to channel the attention of bug hunters to avoid collisions or which patch development or triage efforts to prioritize to avoid hacker frustration.
Aron Laszka
Pennsylvania State University
Read the Original
This page is a summary of: The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox, April 2023, ACM (Association for Computing Machinery),
DOI: 10.1145/3543507.3583352.
You can read the full text:
Resources
Contributors
The following have contributed to this page
