An empirical study of vulnerability rewards programs

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 273-288

  Finifter, Matthew ^a   Akhawe, Devdatta ^a   Wagner, David ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPENSATION (PERSONNEL);

COMMUNITY PARTICIPATION; EMPIRICAL STUDIES; FIREFOX; HIGH POTENTIAL; SECURITY ADVISORIES; SECURITY VULNERABILITIES; SOFTWARE VENDORS; SOFTWARE VULNERABILITIES;

SECURITY OF DATA;

EID: 85076311227     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (57)

1. ADAMSKI, L. Refresh of the Mozilla Security Bug Bounty Program, July 2010. https://blog.mozilla.org/security/2010/07/15/refresh/.
2. AUSTIN, A., and WILLIAMS, L. One technique is not enough: A comparison of vulnerability discovery techniques. In Empirical Software Engineering and Measurement (ESEM), 2011 International Symposium on (2011), IEEE, pp. 97-106.
3. BARRETT, M. PayPal "Bug Bounty" Program for Security Researchers, June 2012. https://www.thepaypalblog.com/2012/06/paypal-bug-bounty-program/.
4. BARTH, A., JACKSON, C., REIS, C., and TEAM, T. G. C. The Security Architecture of the Chromium Browser. Tech. rep., Stanford University, 2008.
5. BHATTACHARYYA, N., and GARRETT, T. A. Why People Choose Negative Expected Return Assets - An Empirical Examination of a Utility Theoretic Explanation. Federal Reserve Bank of St. Louis Working Paper Series (March 2006). http://research.stlouisfed.org/wp/2006/2006-014.pdf.
6. BLINDU, E. Vulnerabilities reward programs, July 2012. http://www.testalways.com/2012/07/13/vulnerabilities-reward-programs/.
7. BUCHANAN, K., EVANS, C., REIS, C., and SEPEZ, T. A Tale of Two Pwnies (Part 2), June 2012. http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html.
8. BUCHANAN, K., EVANS, C., REIS, C., and SEPEZ, T. Show off Your Security Skills: Pwn2Own and Pwnium 3, January 2013. http://blog.chromium.org/2013/01/show-off-your-security-skills-pwn2own.html.
9. CARETTONI, L. "No More Free Bugs" Initiative, October 2011. http://blog.nibblesec.org/2011/10/no-more-free-bugs-initiatives.html.
10. CATAL, C., and DIRI, B. A systematic review of software fault prediction studies. Expert Systems with Applications 36, 4 (2009), 7346-7354.
11. Chromium Development Calendar and Release Info. http://www.chromium.org/developers/calendar.
12. Severity Guidelines for Security Issues. https://sites.google.com/a/chromium.org/dev/developers/severity-guidelines.
13. Chromium Bug Tracker, 2013. http://crbug.com.
14. Security: Pwnium 2 tcmalloc profile bug, 2012. http://crbug.com/154983.
15. DAV I S, N. Secure Software Development Life Cycle Processes, July 2012. https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/sdlc/326-BSI.html.
16. Defense in Depth. http://www.nsa.gov/ia/_files/support/defenseindepth.pdf.
17. MozillaWiki: Electrolysis, April 2011. https://wiki.mozilla.org/Electrolysis.
18. EDMUNDSON, A., HOLTKAMP, B., RIVERA, E., FINIFTER, M., METTLER, A., and WAGNER, D. An Empirical Study on the Effectiveness of Security Code Review. In Proceedings of the International Symposium on Engineering Secure Software and Systems (March 2013).
19. EVANS, C. Celebrating Six Months of Chromium Security Rewards, July 2010. http://blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html.
20. EVANS, C. Bug bounties vs. black (& grey) markets, May 2011. http://scarybeastsecurity.blogspot.com/2011/05/bug-bounties-vs-black-grey-markets.html.
21. EVANS, C. Personal Communication, March 2013.
22. EVANS, C., GROSSE, E., MEHTA, N., MOORE, M., ORMANDY, T., TINNES, J., ZALEWSKI, M., and TEAM, G. S. Rebooting Responsible Disclosure: a focus on protecting end users, July 2010. http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html.
23. EVANS, C., and SCHUH, J. Pwnium: rewards for exploits, February 2012. http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html.
24. FINIFTER, M., and WAGNER, D. Exploring the relationship between web application development tools and security. In USENIX conference on Web application development (2011).
25. MozillaWiki: RapidRelease/Calendar, January 2013. https://wiki.mozilla.org/RapidRelease/Calendar.
26. FISHER, D. Microsoft Says No to Paying Bug Bounties, July 2010. http://threatpost.com/microsoft-says-no-paying-bug-bounties-072210/.
27. Chrome Releases: Stable Updates. http://googlechromereleases.blogspot.com/search/label/Stable%20updates.
28. GORENC, B. Pwn2Own 2013, January 2013. http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013.
29. HATTON, L. Predicting the Total Number of Faults Using Parallel Code Inspections. http://www.leshatton.org/2005/05/total-number-of-faults-using-parallel-code-inspections/, May 2005.
30. HOFMANN, C. Personal Communication, March 2013.
31. HOLLER, C. Trying new code analysis techniques, January 2012. https://blog.mozilla.org/decoder/2012/01/27/trying-new-code-analysis-techniques/.
32. Creating a Computer Security Incident Response Team: A Process for Getting Started, February 2006. https://www.cert.org/csirts/Creating-A-CSIRT.html.
33. MATTHEW FINIFTER and DEVDATTA AKHAWE AND DAVID WAGNER. Chrome and Firefox VRP datasets, June 2013. https://gist.github.com/devd/a62f2afae9f1c93397f5.
34. The MEGA Vulnerability Reward Program, February 2013. https://mega.co.nz/#blog_6.
35. MEIN, A., and EVANS, C. Dosh4Vulns: Google's Vulnerability Reward Programs, March 2011.
36. MELVEN, I. MozillaWiki: Features/Security/Low rights Firefox, August 2012. https://wiki.mozilla.org/Features/Security/Low_rights_Firefox.
37. MILLER, C. The legitimate vulnerability market: the secretive world of 0-day exploit sales. In WEIS (2007).
38. MILLS, E. Facebook launches bug bounty program, July 2011. http://news.cnet.com/8301-270803-20085163-245/facebook-launches-bug-bounty-program/.
39. MOZILLA BUGZILLA. Bug 790923: Content process sandboxing via seccomp filter. https://bugzil.la/790923.
40. MOZILLA FOUNDATION. Mozilla Foundation Security Advisories, January 2013. https://www.mozilla.org/security/announce/.
41. Netscape announces "netscape bugs bounty" with release of netscape navigator 2.0 beta. The Internet Archive. http://web.archive.org/web/19970501041756/www101.netscape.com/newsref/pr/newsrelease48.html.
42. NEUHAUS, S., and PLATTNER, B. Software security economics: Theory, in practice. In WEIS (2012).
43. NEUHAUS, S., ZIMMERMANN, T., HOLLER, C., and ZELLER, A. Predicting vulnerable software components. In Proceedings of the 14th ACM conference on Computer and communications security (2007), ACM, pp. 529-540.
44. National Vulnerability Database. http://nvd.nist.gov/.
45. OBES, J. L., and SCHUH, J. A Tale of Two Pwnies (Part 1), May 2012. http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html.
46. Understanding Operational Security. http://www.cisco.com/web/about/security/intelligence/opsecurity.html.
47. OZMENT, A., and SCHECHTER, S. E. Milk or wine: does software security improve with age. In In USENIX-SS06: Proceedings of the 15th conference on USENIX Security Symposium (2006), USENIX Association.
48. RAYMOND, E. S. The Cathedral and the Bazaar, 1st ed. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 1999.
49. RESCORLA, E. Is finding security holes a good idea? IEEE Security & Privacy 3, 1 (2005), 14-19.
50. CERT/CC Vulnerability Disclosure Policy, November 2012. https://www.cert.org/kb/vul_disclosure.html.
51. Chromium bug tracker: Sandbox bypasses found in review, 2013. http://goo.gl/13ZlR.
52. SCHOLTE, T., BALZAROTTI, D., and KIRDA, E. Quo vadis? a study of the evolution of input validation vulnerabilities in web applications. Financial Cryptography and Data Security (2012), 284-298.
53. Secunia Vulnerability Coordination Reward Program (SVCRP). https://secunia.com/community/research/svcrp/.
54. THE BLUEHAT TEAM. Microsoft Security Bounty Programs. http://www.microsoft.com/security/msrc/report/bountyprograms.aspx, June 2013.
55. THE CHROMIUM AUTHORS. Vulnerability Rewards Program: Rewards FAQ, 2010. http://goo.gl/m1MdV.
56. VEDITZ, D. Personal Communication, February 2013.
57. Vulnerability Remediation, September 2010. https://www.cert.org/vuls/remediation.html.