Authors

  • Stefan Frei &  Swisscom Security, April 2017

Abstract

Content

In the past, data breaches were merely considered to be a problem affecting the company in question and its customers. In the past year, however, the repercussions on developments in society and politics were illustrated very clearly. To illustrate the impact for different industrial sectors and authorities in Switzerland we evaluated raw data of leaked accounts from seven larger data breaches. These data breaches, namely  Adobe, Ashley- Madison, Badoo, Dropbox, Gawker, Linkedin and MySpace, exposed a total of 890 million user accounts.

Over the past few decades, software has become both a fundamental and critical element for both our economy and our society. It comes as no surprise, however, that interest in critical software vulnerabilities has risen considerably over past few years, particularly among cybercriminals (for profit) and state actors (for spying, sabotage). The realisation that discoverers of vulnerabilities should be rewarded for their ethical behaviour is slowly starting to gain acceptance in the industry. Under bug bounty programmes, companies offer prize money, referred to as (bug) bounties, to anybody who reports vulnerabilities in products or services. In September 2015 Swisscom became the first major company in Switzerland to offer its own Bug Bounty programme. We analyze the bug bounty reports of this program.


Download