Bug Bounty

A bug bounty program rewards researchers reporting vulnerabilities to the vendor of the affected software in the form of financial compensation.

6 papers and 4 talks

Bug bounties have proven themselves an effective mechanism to improve vulnerability discovery, while also reducing the availability of zero-day vulnerabilities and exploits to malicious cyber actors.

My research proposes and validates a model for a broader scope bug bounty program (Bug Bounty of Last Resort) by assessing and comparing the cost of having a massive vulnerability purchase program following a coordinated disclosure process - and comparing this cost to cybercrime losses.

Papers

• Paper - OECD - Encouraging vulnerability treatment »»
  This paper discusses vulnerabilities in products’ code such as software and firmware, and in how products are implemented in information systems.
  | Published: Feb 2021 | Available: Paper (en,fr) »

• Paper - OECD - Understanding the digital security of products »»
  This report shows that economic factors play an important role in the insecurity of smart products and develops an analytical framework based on the value chain and lifecycle.
  | Published: Feb 2021 | Available: Paper (en,fr) »

• Paper - Bug Bounty Program of Last Resort »»
  This paper makes the case for a centralized Bug Bounty Program of Last Resort to cover critical open-source projects and smaller vendors, who cannot fund them.
  | Published: Feb 2021 | Available: Paper (en) »

• Paper - Swisscom Security 2017 | Data Breaches & Bug Bounties »»
  Analysis of the numbers and impact of leaked accounts of large data breaches on major Swiss industry sectors and the government. Perspective of the cyber threats attributable to software vulnerabilities and an insight into Swisscom’s Bug Bounty program.
  | Published: Apr 2017 | Available: Paper (en,de) »

• Paper - International Vulnerability Purchase Program (IVPP) »»
  Cyber security depends largely on reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, the black market is expanding rapidly and offering large rewards for the same information. We examine the economics of depriving cyber criminals’ access to new vulnerabilities.
  | Published: Dec 2013 | Available: Paper (en) »

• Paper - The Known Unknowns in Cyber Security »»
  Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software.
  | Published: Dec 2013 | Available: Paper (en) »

Talks

• Keynote - BSides HH - Hamburg 2014
  The Known Unknowns & Outbidding Cyber Criminals
  Hamburg, Dec 2014
  | Event: www.securitybsides.com ..
  | Slides: bsides_known_unknows_outbidding_criminals_2014.pdf

• Talk - ISSS Security Lunch
  The Known Unknowns & Outbidding Cyber Criminals
  Zurich, Sep 2014
  | Event: isss.ch ..

• Talk - ISD Internet Security Days 2014
  The Known Unknowns & Outbidding Cyber Criminals
  Brühl - Köln, Sep 2014
  | Event: www.eco.de ..

• Talk - Area 41 Security Conference
  International Vulnerability Purchase Program
  Zurich, May 2014
  | Event: area41.io ..
  | Slides: area41_known_unknows_outbidding_criminals_2014.pdf