Bug bounty programs were once a novel way to encourage security researchers to report vulnerabilities. They are now common. Hundreds of organizations--from car manufactures to the Department of Defense--now operate bug bounty programs that purchase flaws from independent vulnerability researchers. Yet, while bug bounty programs are widely viewed as a promising strategy for reducing software attack surfaces, unsolved social and technological issues can limit the efficacy of these programs. This project uses detailed interviews with market participants and associated research to examine how bugs are identified, sold, and mitigated. It seeks to identify the persistent challenges that confront the market. The insights generated through this interdisciplinary inquiry will inform the development of innovative social and technical mechanisms that can help improve bounty programs for vulnerability researchers, program operators, and society at large.
The project follows the life stages of a commercial bug: examining how bugs are discovered, sold, and mitigated. It takes commercial bugs to be sociotechnical artifacts that are situated within a web of social and technical processes. The project is interdisciplinary: it focuses on an often overlooked form of infrastructure labor--the work of discovering, selling, and fixing bugs--from the perspective of workers; and it explores how technical solutions might provide accountability into the market. The project employs interviews with market participants, review of legal and administrative data, and analysis of technical artifacts in order to better understand the barriers and frictions that dot the market. Insights developed through market observation and analysis will inform technical work to explore the design of a novel, decentralized, and trustworthy bug bounty platform. This platform will serve as a technological substrate that protects the interests of different participants in the bug bounty ecosystem.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Improving the Bug Bounty System