What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping Study
2019 (English)In: International Workshop on Socio-Technical Aspects in Security and Trust STAST 2019: Socio-Technical Aspects in Security and Trust. Part of the Lecture Notes in Computer Science book series (LNCS, volume 11739), Springer Science and Business Media Deutschland GmbH , 2019, p. 89-106Conference paper, Published paper (Refereed)
Abstract [en]
This paper presents a systematic mapping study of the research on crowdsourced security vulnerability discovery. The aim is to identify aspects of bug bounty program (BBP) research that relate to product owners, the bug-hunting crowd or vulnerability markets. Based on 72 examined papers, we conclude that research has mainly been focused on the organisation of BBPs from the product owner perspective, but that aspects such as mechanisms of the white vulnerability market and incentives for bug hunting have also been addressed. With the increasing importance of cyber security, BBPs need more attention in order to be understood better. In particular, datasets from more diverse types of companies (e.g. safety-critical systems) should be added, as empirical studies are generally based on convenience sampled public data sets. Also, there is a need for more in-depth, qualitative studies in order to understand what drives bug hunters and product owners towards finding constructive ways of working together.
Place, publisher, year, edition, pages
Springer Science and Business Media Deutschland GmbH , 2019. p. 89-106
Keywords [en]
Bug bounty, Literature review, Systematic mapping, Commerce, Digital storage, Safety engineering, Security of data, Bug hunting, Cyber security, Empirical studies, Public data, Qualitative study, Safety critical systems, Security vulnerabilities, Systematic mapping studies, Mapping
National Category
Embedded Systems
Identifiers
URN: urn:nbn:se:ri:diva-55674DOI: 10.1007/978-3-030-55958-8_5Scopus ID: 2-s2.0-85111025705ISBN: 9783030559571 (print)OAI: oai:DiVA.org:ri-55674DiVA, id: diva2:1583713
Conference
International Workshop on Socio-Technical Aspects in Security and Trust STAST 2019: Socio-Technical Aspects in Security and Trust. . 26 September 2019 through 26 September 2019
2021-08-092021-08-092021-08-09Bibliographically approved