Productivity and patterns of activity in bug bounty programs: analysis of hackerone and Google vulnerability research

Donatello Luna, Luca Allodi, Marco Cremonini

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

2 Downloads (Pure)

Uittreksel

In this work, we considered two well-known bug bounty programs - HackerOne and Google Vulnerability Research - with the goal of investigating patterns of activity and comparing productivity of security researchers. HackerOne and Google’s programs differ in many ways. HackerOne is one of the largest and most successful bug bounty programs, with heterogeneous membership of security researchers and software producers. Google Vulnerability Research, instead, is a closed program for selected Google employees working on a more homogeneous range of software. For the analysis, we introduced three productivity metrics, which let us study the performance of researchers under different perspectives and possible patterns of activity. A contribution of this work is to shed new light on the yet not well understood environment represented by bug bounties and software vulnerability discovery initiatives. The low-hanging fruits approach adopted by unexperienced researchers in open bug bounties has been often discussed, but less is known about the approach adopted by more experienced participants. Another result is to have shown that a generic comparison between different bug bounty programs may lead to wrong conclusions. Bug bounty programs could exhibits large variations in researcher profiles and software characteristics, which make them not comparable without a careful examination of homogeneous subsets of participants and incentive mechanisms.

Originele taal-2Engels
TitelProceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019
Plaats van productieNew York
UitgeverijAssociation for Computing Machinery, Inc
Aantal pagina's10
ISBN van elektronische versie978-1-4503-7164-3
DOI's
StatusGepubliceerd - 26 aug 2019
Evenement14th International Conference on Availability, Reliability and Security, ARES 2019 - Canterbury, Verenigd Koninkrijk
Duur: 26 aug 201929 aug 2019

Congres

Congres14th International Conference on Availability, Reliability and Security, ARES 2019
LandVerenigd Koninkrijk
StadCanterbury
Periode26/08/1929/08/19

Vingerafdruk

Productivity
Fruits
Personnel

Citeer dit

Luna, D., Allodi, L., & Cremonini, M. (2019). Productivity and patterns of activity in bug bounty programs: analysis of hackerone and Google vulnerability research. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019 [67] New York: Association for Computing Machinery, Inc. https://doi.org/10.1145/3339252.3341495
Luna, Donatello ; Allodi, Luca ; Cremonini, Marco. / Productivity and patterns of activity in bug bounty programs : analysis of hackerone and Google vulnerability research. Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019. New York : Association for Computing Machinery, Inc, 2019.
@inproceedings{2dedf6865add48c9a200b75475248752,
title = "Productivity and patterns of activity in bug bounty programs: analysis of hackerone and Google vulnerability research",
abstract = "In this work, we considered two well-known bug bounty programs - HackerOne and Google Vulnerability Research - with the goal of investigating patterns of activity and comparing productivity of security researchers. HackerOne and Google’s programs differ in many ways. HackerOne is one of the largest and most successful bug bounty programs, with heterogeneous membership of security researchers and software producers. Google Vulnerability Research, instead, is a closed program for selected Google employees working on a more homogeneous range of software. For the analysis, we introduced three productivity metrics, which let us study the performance of researchers under different perspectives and possible patterns of activity. A contribution of this work is to shed new light on the yet not well understood environment represented by bug bounties and software vulnerability discovery initiatives. The low-hanging fruits approach adopted by unexperienced researchers in open bug bounties has been often discussed, but less is known about the approach adopted by more experienced participants. Another result is to have shown that a generic comparison between different bug bounty programs may lead to wrong conclusions. Bug bounty programs could exhibits large variations in researcher profiles and software characteristics, which make them not comparable without a careful examination of homogeneous subsets of participants and incentive mechanisms.",
keywords = "Bug bounty programs, Researchers’ productivity, Software vulnerability",
author = "Donatello Luna and Luca Allodi and Marco Cremonini",
year = "2019",
month = "8",
day = "26",
doi = "10.1145/3339252.3341495",
language = "English",
booktitle = "Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019",
publisher = "Association for Computing Machinery, Inc",
address = "United States",

}

Luna, D, Allodi, L & Cremonini, M 2019, Productivity and patterns of activity in bug bounty programs: analysis of hackerone and Google vulnerability research. in Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019., 67, Association for Computing Machinery, Inc, New York, Canterbury, Verenigd Koninkrijk, 26/08/19. https://doi.org/10.1145/3339252.3341495

Productivity and patterns of activity in bug bounty programs : analysis of hackerone and Google vulnerability research. / Luna, Donatello; Allodi, Luca; Cremonini, Marco.

Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019. New York : Association for Computing Machinery, Inc, 2019. 67.

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

TY - GEN

T1 - Productivity and patterns of activity in bug bounty programs

T2 - analysis of hackerone and Google vulnerability research

AU - Luna, Donatello

AU - Allodi, Luca

AU - Cremonini, Marco

PY - 2019/8/26

Y1 - 2019/8/26

N2 - In this work, we considered two well-known bug bounty programs - HackerOne and Google Vulnerability Research - with the goal of investigating patterns of activity and comparing productivity of security researchers. HackerOne and Google’s programs differ in many ways. HackerOne is one of the largest and most successful bug bounty programs, with heterogeneous membership of security researchers and software producers. Google Vulnerability Research, instead, is a closed program for selected Google employees working on a more homogeneous range of software. For the analysis, we introduced three productivity metrics, which let us study the performance of researchers under different perspectives and possible patterns of activity. A contribution of this work is to shed new light on the yet not well understood environment represented by bug bounties and software vulnerability discovery initiatives. The low-hanging fruits approach adopted by unexperienced researchers in open bug bounties has been often discussed, but less is known about the approach adopted by more experienced participants. Another result is to have shown that a generic comparison between different bug bounty programs may lead to wrong conclusions. Bug bounty programs could exhibits large variations in researcher profiles and software characteristics, which make them not comparable without a careful examination of homogeneous subsets of participants and incentive mechanisms.

AB - In this work, we considered two well-known bug bounty programs - HackerOne and Google Vulnerability Research - with the goal of investigating patterns of activity and comparing productivity of security researchers. HackerOne and Google’s programs differ in many ways. HackerOne is one of the largest and most successful bug bounty programs, with heterogeneous membership of security researchers and software producers. Google Vulnerability Research, instead, is a closed program for selected Google employees working on a more homogeneous range of software. For the analysis, we introduced three productivity metrics, which let us study the performance of researchers under different perspectives and possible patterns of activity. A contribution of this work is to shed new light on the yet not well understood environment represented by bug bounties and software vulnerability discovery initiatives. The low-hanging fruits approach adopted by unexperienced researchers in open bug bounties has been often discussed, but less is known about the approach adopted by more experienced participants. Another result is to have shown that a generic comparison between different bug bounty programs may lead to wrong conclusions. Bug bounty programs could exhibits large variations in researcher profiles and software characteristics, which make them not comparable without a careful examination of homogeneous subsets of participants and incentive mechanisms.

KW - Bug bounty programs

KW - Researchers’ productivity

KW - Software vulnerability

UR - http://www.scopus.com/inward/record.url?scp=85071723355&partnerID=8YFLogxK

U2 - 10.1145/3339252.3341495

DO - 10.1145/3339252.3341495

M3 - Conference contribution

AN - SCOPUS:85071723355

BT - Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019

PB - Association for Computing Machinery, Inc

CY - New York

ER -

Luna D, Allodi L, Cremonini M. Productivity and patterns of activity in bug bounty programs: analysis of hackerone and Google vulnerability research. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019. New York: Association for Computing Machinery, Inc. 2019. 67 https://doi.org/10.1145/3339252.3341495