Pages: [1]   Go Down
Author Topic: seminario  (Read 2030 times)
0 Members e 1 Utente non registrato stanno visualizzando questa discussione.
Dario Catalano
Apprendista Forumista
Offline Offline

Posts: 158

« on: 14-11-2016, 10:24:05 »

Lunedì 21 novembre alle ore 10:30 presso l’aula Anile del nostro dipartimento, il Prof. Jens Grossklags della Penn State University (USA) terrà un seminario dal titolo (l’abstract è a seguire)

Empirical Results and Economic Policies for Bug-Bounty Platforms and Security Vulnerability Discovery

Siete tutti invitati a partecipare.
Cordiali Saluti
Dario Catalano

In recent years, many organizations have established bounty programs that attract white hat hackers who contribute vulnerability reports about web systems. In this talk, I will discuss an analysis of publicly available data of two representative web vulnerability discovery ecosystems (Wooyun and HackerOne) focusing on their characteristics, trajectory, and impact. The results show that both ecosystems include large and continuously growing white hat communities which have provided significant contributions to organizations from a wide range of business sectors. I will also discuss vulnerability trends, response and resolve behaviors, and reward structures of participating organizations.

Based on the empirical results, I will highlight several key challenges which threaten the potential of bug bounty platforms. First, with a growing number of participating companies, the problem of efficiently allocating and distributing the valuable but scarce effort of white hat researchers is becoming paramount. Second, participating companies incur significant efforts to evaluate the submitted vulnerability reports with the percentage of invalid reports ranging from 35% to 55% on different platforms. To address these challenges, I will present an economic framework consisting of two models to evaluate different economic policies to improve the effectiveness of bug bounty programs. I begin by introducing an economic model to study the allocation of hackers in bug-bounty programs. The model captures the hackers’ vulnerability-discovery process with an emphasis on the diversity of hackers’ capability in identifying vulnerabilities. Different policies for a bug bounty program are then introduced which allocate a set of ethical hackers to work on vulnerability discovery for their site. To address the second problem area, I present another theoretical model for evaluating established and novel approaches for reducing the number of invalid reports.

The talk is based on joint work with Aron Laszka, Mingyi Zhao, Thomas Maillart, Peng Liu, and John Chuang.
Pages: [1]   Go Up
Jump to: