Communications of the ACM
Bug Bounties Fail to Find Many Software Flaws, Researchers Say
Bug bounties are useful for finding vulnerabilities in new software, but mature software requires a different strategy, according to academic and industrial researchers.
Credit: eWeek
Academic and industrial researchers say paying rewards to vulnerability researchers to locate flaws in software initially works, but mature software requires a different strategy.
An analysis of zero-day vulnerabilities suggests paying researchers to privately disclose security bugs to the developer works best to deplete easy-to-find flaws.
The research was conducted by economics and policy researchers at the Massachusetts Institute of Technology, Harvard University, Facebook, and HackerOne. The researchers used system dynamics modeling to analyze the incentives for each of the people or parties involved in the software development and vulnerability mitigation processes.
HackerOne's Katie Moussouris says, "bug bounties alone are not the more efficient way to drain the offensive pool." An alternative is to pay security specialists to create tools to find classes of vulnerabilities; this means that rather than buying the results of researchers' efforts, defenders should pay for the tools used to obtain the results.
"Most of the offensive finders don't use a lot of tools in their work," Moussouris notes. "They have a knack for finding vulnerabilities that are not tool-based, but defenders rely on the tools."
From eWeek
View Full Article
Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA
No entries found