Efficient and Scalable Bug-Bounty Programs
Funded in part by the National Science Foundation under Award CNS-1850510
Many organizations and companies have recently chosen to use so-called bug-bounty programs (also known as vulnerability reward programs), which allow outside security experts to evaluate the security of an organization’s products and services and to report security vulnerabilities in exchange for rewards. Bug-bounty programs provide unique benefits by allowing organizations to publicly signal their commitment to security and to harness the diverse expertise of thousands of security experts in an affordable way. Despite their rapidly growing popularity, bug-bounty programs are not well understood and can be mismanaged. As a result, bug bounty programs can waste substantial resources and they rarely live up to their potential to improve cybersecurity. This project will significantly improve the efficiency of bug-bounty programs by collecting and publishing comprehensive datasets on the bug-bounty ecosystem, by establishing a sound theory of bug-bounty programs, and by providing practical recommendations for organizations and regulators. The project will directly benefit organizations and companies by enabling them to manage bug-bounty programs more efficiently, which will allow them to eliminate security vulnerabilities at a lower cost; and it will also benefit users by improving the security of software products and services.
This project comprises four research thrusts. The first thrust will build a dataset that captures the entire bug-bounty ecosystem by collecting activity data and rule descriptions from public bug-bounty programs, conducting interviews and focus-group studies with experts who regularly participate in programs, collecting social-media posts, and incorporating existing datasets, such as vulnerability databases. The second thrust will analyze this dataset to understand the ecosystem and its actors’ incentives and actions, and to characterize processes, such as discovering and reporting vulnerabilities and rewarding reports. To code textual data, the project will first develop a terminology and taxonomy of bug-bounty related concepts. Driven by the results of the data analysis, the third thrust will develop a formal model of the bug-bounty ecosystem, which will incorporate technological processes as well as behavioral and economic incentives. To capture all aspects of such a complex ecosystem, the project will employ models and techniques from multiple disciplines and areas, including economics and cybersecurity. Building on this model, the fourth thrust will propose and evaluate novel approaches for improving the efficiency and scalability of bug-bounty programs. The project will consider policies for individual bug-bounty programs, such as rules for rewarding vulnerability reports, as well as mechanisms for regulating bug-bounty programs and for instigating coordination between them.