More Like this

1. Bounty Everything: Hackers and the Making of the Global Bug Marketplace

   Ellis, Ryan ; Stevens, Yuan ( January 2022 , Data and Society)

   In Bounty Everything: Hackers and the Making of the Global Bug Marketplace, researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs—programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems. Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms​​—the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework—they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next. Bounty Everything offers to reimagine how bounty programs can better serve the interests of both computer security and the workers that protect our digital world. Ellis & Stevens argue that if bounty programs are not designed and implemented properly, “this model can ironically perpetuate a world full of bugs that uses a global pool of insecure workers to prop up a business model centered on rapid iteration and perpetual beta. 

   more » « less
2. The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox

   https://doi.org/10.1145/3543507.3583352  

   Atefi, Soodeh ; Sivagnanam, Amutheezan ; Ayman, Afiya ; Grossklags, Jens ; Laszka, Aron ( April 2023 , Proceedings of the ACM Web Conference 2023 (WWW'23))

   Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). Nonetheless, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on the properties of the reported vulnerabilities, such as severity or exploitability. However, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors. 

   more » « less
3. Bug Hunters’ Perspectives on the Challenges and Benefits of the Bug Bounty Ecosystem

   Akgul, Omer ; Eghtesad, Taha ; Elazari, Amit ; Gnawali, Omprakash ; Grossklags, Jens ; Mazurek, Michelle L. ; Votipka, Daniel ; Laszka, Aron ( July 2023 , 32nd USENIX Security Symposium (USENIX Security 2023))

   Although researchers have characterized the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters’ motivating factors, challenges, and overall benefits. We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor’s importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bug-bounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilized market. 

   more » « less
4. Cyber-physical Shooting Gallery: Gamification to Address the IT-OT Gap in Cybersecurity Education

   https://doi.org/10.53735/cisse.v10i1.159  

   Fuhrmann, Tiffany ; Williams, Taegan ; Haney, Michael ( March 2023 , Journal of The Colloquium for Information Systems Security Education)

   While much has been written on the dire need for workers who understand both the IT and OT core concepts necessary to protect the cyber-physical systems of critical infrastructure, practical and specific recommendations for how to meet this need through education and workforce training are lacking. Many of the available programs for teaching cybersecurity of physical systems rely on virtual simulations and students may not encounter relevant physical equipment until they are in the workplace. RADICL’s Cyber-physical Shooting Gallery is a critical missing piece toward a comprehensive system to develop the competent workforce the nation needs. Through a series of cyber-physical capture-the-flag challenges that integrate the Purdue ICS Model with the MITRE ATT&CK framework, the Cyber-physical Shooting Gallery provides an accessible educational model for cyber-physical security education and training. 

   more » « less
5. Polymorphic Circuit Generation Using Random Boolean Logic Expansion

   https://doi.org/10.1145/3341105.3374031  

   McDonald, J. ; Stroud, T. ; and Andel, T. ( March 2020 , 35th ACM/SIGAPP Symposium On Applied Computing)

   Securing applications on untrusted platforms can involve protection against legitimate end-users who act in the role of malicious reverse engineers and hackers. Such adversaries have access to the full execution environment of programs, whether the program comes in the form of software or hardware. In this paper, we consider the nature of obfuscating algorithms that perform iterative, step-wise transformation of programs into more complex forms that are intended to increase the complexity (time, resources) for malicious reverse engineers. We consider simple Boolean logic programs as the domain of interest and examine a specific transformation technique known as iterative sub-circuit selection and replacement (ISR), which represents a practical, syntactic approach for obfuscation. Specifically, we focus on improving the security of ISR by maximizing the flexibility and potential security of the replacement step of the algorithm which can be formulated in the following question: given a selection of Boolean logic gates (i.e., a sub-circuit), how can we produce a semantically equivalent (polymorphic) version of the sub-circuit such that the distribution of potential replacements represents a random, uniform distribution from the set of all possible replacements. This practical question is related to the theoretic study of indistinguishability obfuscation, where a transformer for a class of circuits guarantees that given any two semantically equivalent circuits from the class, the distribution of variants from their obfuscation are computationally indistinguishable. Ideally, polymorphic circuits that follow a random, uniform distribution provide stronger protection against malicious analyzers that target identification of distinct patterns as a basis for deobfuscation and simplification. In this paper, we introduce a novel approach for polymorphic circuit replacement called random Boolean logic expansion (RBLE), which applies Boolean logic laws (of reduction) in reverse. We compare this approach against another proposed method of polymorphic replacement that relies on static circuit libraries. As a contribution, we show the strengths and weaknesses of each approach, examine initial results from empirical studies to estimate the uniformity of polymorphic distributions, and provide the argument for how such algorithms can be readily applied in software contexts. RBLE provides a unique method to generate polymorphic variants of arbitrary input, output, and gate size. We report initial findings for studying variants produced by this method and, from empirical evaluation, show that RBLE has promise for generating distributions of unique, uniform circuits when size is unconstrained, but for targeted size distributions, the approach requires some adjustment in order to reach potential circuit variants. 

   more » « less