TY - GEN
T1 - The Rules of Engagement for Bug Bounty Programs
AU - Laszka, Aron
AU - Zhao, Mingyi
AU - Malbari, Akash
AU - Grossklags, Jens
N1 - Publisher Copyright:
© International Financial Cryptography Association 2018.
PY - 2018
Y1 - 2018
N2 - White hat hackers, also called ethical hackers, who find and report vulnerabilities to bug bounty programs have become a significant part of today’s security ecosystem. While the efforts of white hats contribute to heightened levels of security at the participating organizations, the white hats’ participation needs to be carefully managed to balance risks with anticipated benefits. One way, taken by organizations, to manage bug bounty programs is to create rules that aim to regulate the behavior of white hats, but also bind these organizations to certain actions (e.g., level of bounty payments). To the best of our knowledge, no research exists that studies the content of these program rules and their impact on the effectiveness of bug bounty programs. We collected and analyzed the rules of 111 bounty programs on a major bug bounty platform, HackerOne. We qualitatively study the contents of these rules to determine a taxonomy of statements governing the expected behavior of white hats and organizations. We also report specific examples of rules to illustrate their reach and diversity across programs. We further engage in a quantitative analysis by pairing the findings of the analysis of the program rules with a second dataset about the performance of the same bug bounty programs, and conducting statistical analyses to evaluate the impact of program rules on program outcomes.
AB - White hat hackers, also called ethical hackers, who find and report vulnerabilities to bug bounty programs have become a significant part of today’s security ecosystem. While the efforts of white hats contribute to heightened levels of security at the participating organizations, the white hats’ participation needs to be carefully managed to balance risks with anticipated benefits. One way, taken by organizations, to manage bug bounty programs is to create rules that aim to regulate the behavior of white hats, but also bind these organizations to certain actions (e.g., level of bounty payments). To the best of our knowledge, no research exists that studies the content of these program rules and their impact on the effectiveness of bug bounty programs. We collected and analyzed the rules of 111 bounty programs on a major bug bounty platform, HackerOne. We qualitatively study the contents of these rules to determine a taxonomy of statements governing the expected behavior of white hats and organizations. We also report specific examples of rules to illustrate their reach and diversity across programs. We further engage in a quantitative analysis by pairing the findings of the analysis of the program rules with a second dataset about the performance of the same bug bounty programs, and conducting statistical analyses to evaluate the impact of program rules on program outcomes.
UR - http://www.scopus.com/inward/record.url?scp=85072853736&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-58387-6_8
DO - 10.1007/978-3-662-58387-6_8
M3 - Conference contribution
AN - SCOPUS:85072853736
SN - 9783662583869
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 138
EP - 159
BT - Financial Cryptography and Data Security - 22nd International Conference, FC 2018, Revised Selected Papers
A2 - Meiklejohn, Sarah
A2 - Sako, Kazue
PB - Springer Verlag
T2 - 22nd International Conference on Financial Cryptography and Data Security, 2018
Y2 - 26 February 2018 through 2 March 2018
ER -