MODEL FOR CALCULATING THE COSTS OF A BUG BOUNTY PROGRAM FOR TESTING SECURITY VULNERABILITIES

Authors

DOI:

https://doi.org/10.28925/2663-4023.2023.22.6883

Keywords:

attack; bug bounty; ethical hacking; pen-testing; reward; Common Vulnerability Scoring System; CVSS

Abstract

The article describes the ways of researching bug bounties of programs and proposes a new approach for calculating the score of the found vulnerabilities. The paper begins with an introduction to the understanding of vulnerability management processes and the concept of an attack surface. The paper analyzes the statistics of all vulnerabilities found in information systems over the past ten years, which are divided according to the standard CVSS score. The types and vectors of attacks are analyzed in the example of the financial sector. Additionally, hacking and incidents are categorized by attack vectors in the financial sector. The following is the ratio of the most popular types and vectors of attacks to the criticality of information systems. A rating of critical and high vulnerabilities of one of the bug bounty platforms is presented with a detailed description of the types of attacks and exploitation techniques. An integral part of the vulnerability management process is the categorization of importance and impact on the organization. Possible life cycle scenarios for the identified vulnerability in an information system are also presented through the eyes of the owner of the vulnerability information and the owner of such an information system. A comparative quantitative and qualitative analysis of the maturity of bug bounty programs from the moment of launch and over the years, as well as the factors influencing the maturity of the program, are carried out. The statistics of vulnerabilities found in public bug bounty programs over the past six years are analyzed. The author proposes her approach to calculating the effective cost of a bug bounty program and conducts an experimental test on three programs. The factors influencing the calculation of the effective cost of vulnerabilities are highlighted. Approaches to vulnerability assessment and validation by bug bounty platforms and the stages of arbitration between the owner of the information system and the vulnerability researcher are considered. The study concludes with recommendations for achieving a higher level of maturity in vulnerability management processes. The forging highlights the continuity of the emergence and disappearance of additional factors in vulnerability management processes, in which bug bounty programs are an integral part. The interdependence of the maturity of the company’s processes and its bug bounty program requires the attraction of sufficient resources for its effectiveness.

Downloads

Download data is not yet available.

References

Kipchuk, F., et al. (2021). Assessing Approaches of IT Infrastructure Audit. In IEEE 8th International Conference on Problems of Infocommunications, Science and Technology (PIC S&T). https://doi.org/10.1109/picst54195.2021.9772181

Walshe, T., Simpson, A. (2020). An Empirical Study of Bug Bounty Programs. In IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF). https://doi.org/10.1109/ibf50092.2020.9034828

Ahmed, A., Deokar, A., Lee, H. C. B. (2021). Vulnerability Disclosure Mechanisms: A Synthesis and Framework for Market-based and Non-Market-based Disclosures. Decision Support Systems, 148, p. 113586. https://doi.org/10.1016/j.dss.2021.113586

Ding, A. Y., De Jesus, G. L., Janssen, M. (2019). Ethical Hacking for Boosting IoT Vulnerability Management. In 8th International Conference on Telecommunications and Remote Sensing (ICTRS). https://doi.org/10.1145/3357767.3357774

Parra, C., Subramanian, H. (2019). A Bargaining Games Approach to Information Security Interactions. In 2019 First International Conference on Digital Data Processing (DDP). IEEE. https://doi.org/10.1109/ddp.2019.00025

Guo, M., et al. (2021). Revenue Maximizing Markets for Zero-Day Exploits. In Autonomous Agents and Multi-Agent Systems, 35(2). https://doi.org/10.1007/s10458-021-09522-w

Ahmed, A., Lee, H. C. B. (2020). Organizational Learning on Bug Bounty Platforms. In 26th Americas Conference on Information Systems (AMCI). 1–10.

HackerOne (2023). Outsmart Cybercriminals with Proactive Attack Surface Management.https://content.cdntwrk.com/files/aT0xNDkwMDE4JnY9MSZpc3N1ZU5hbWU9b3V0c21hcnQtY3liZXJjcmltaW5hbHMtd2l0aC1wcm9hY3RpdmUtYXR0YWNrLXN1cmZhY2UtbWFuYWdlbWVudCZjbWQ9ZCZzaWc9NjZjMTFkOWEyMTc0Y2U0MTA0NGEyYzlmMTk4MzMxMDU%253D

Randori (2022). The State of Attack Surface Management. https://www.randori.com/reports/the-state-of-attack-surface-management-2022/

Meta (2023). Meta Bug Bounty. https://www.facebook.com/BugBounty

Oren, N. (2022). Looking Back at Our Bug Bounty Program in 2022. https://about.fb.com/news/2022/12/metas-bug-bounty-program-2022/

Bugcrowd (2022). Priority One Report. https://www.bugcrowd.com/resources/reports/priority-one-report/

SecurityScorecard (2023). CVSS Scores. https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2013-06-01&enddate=2023-06-19

International Telecommunication Union (2020). ITU-T Rec. Technical Report. Security in Telecommunications and Information Technology. 7th ed. https://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-ICTSS-2020-4-PDF-E.pdf

HackerOne (2023). Directory. https://hackerone.com/directory/programs

Bugcrowd (2021). Vulnerability Rating Taxonomy. https://bugcrowd.com/vulnerability-rating-taxonomy17. Verizon (2023). Data Breach Investigations Report. https://www.verizon.com/business/resources/Tb4e/reports/2023-data-breach-investigations-report-dbir.pdf

HackerOne (2023). Severity. https://docs.hackerone.com/hackers/severity.html#gatsby-focus-wrapper

HackerOne (2023). Takeover of hackerone.engineering via Github. https://hackerone.com/reports/2085260

HackerOne (2023). Privilege Escalation in kOps using GCE/GCP Provider. https://hackerone.com/reports/1842829

HackerOne (2023). An Attacker Can View Any Hacker Email via /SaveCollaboratorsMutation Operation Name. https://hackerone.com/reports/2032716

Buriachok, V., Sokolov, V., Skladannyi, P. (2019). Security Rating Metrics for Distributed Wireless Systems. In 8th International Conference on “Mathematics. Information Technologies. Education” (MoMLeT&DS), vol. 2386, 222–233.

Downloads


Abstract views: 338

Published

2023-12-28

How to Cite

Kipchuk, F., & Sokolov, V. (2023). MODEL FOR CALCULATING THE COSTS OF A BUG BOUNTY PROGRAM FOR TESTING SECURITY VULNERABILITIES. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 2(22), 68–83. https://doi.org/10.28925/2663-4023.2023.22.6883

Most read articles by the same author(s)

1 2 > >>