Abstract
This paper presents a systematic mapping study of the research on crowdsourced security vulnerability discovery. The aim is to identify aspects of bug bounty program (BBP) research that relate to product owners, the bug-hunting crowd or vulnerability markets. Based on 72 examined papers, we conclude that research has mainly been focused on the organisation of BBPs from the product owner perspective, but that aspects such as mechanisms of the white vulnerability market and incentives for bug hunting have also been addressed. With the increasing importance of cyber security, BBPs need more attention in order to be understood better. In particular, datasets from more diverse types of companies (e.g. safety-critical systems) should be added, as empirical studies are generally based on convenience sampled public data sets. Also, there is a need for more in-depth, qualitative studies in order to understand what drives bug hunters and product owners towards finding constructive ways of working together.
This research was funded by Swedish funding agency Vinnova, FFI program, HoliSec project (project number 2015-06894).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acquisti, A., Friedman, A., Telang, R.: Is there a cost to privacy breaches? An event study. In: Proceedings of International Conference on Information Systems, p. 19 (2006)
Al-Banna, M., Benatallah, B., Schlagwein, D., Bertino, E., Barukh, M.C.: Friendly hackers to the rescue: how organizations perceive crowdsourced vulnerability discovery. In: Proceedings of the Pacific Asia Conference on Information Systems, p. 15 (2018)
Algarni, A.M., Malaiya, Y.K.: Most successful vulnerability discoverers: motivation and methods. In: Proceedings of the International Conference on Security and Management (SAM), p. 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp) (2013)
Algarni, A.M., Malaiya, Y.K.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Inf. Sci. Eng. 8, 71â81 (2014). Zenodo
Allodi, L.: Economic factors of vulnerability trade and exploitation. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS 2017, pp. 1483â1499 (2017)
Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case-control studies. ACM Trans. Inf. Syst. Secur. 17(1), 1:1â1:20 (2014)
Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610â613 (2006)
Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of vulnerability: a case study analysis. Computer 33(12), 52â59 (2000)
Armin, J., Foti, P., Cremonini, M.: 0-day vulnerabilities and cybercrime. In: 10th International Conference on Availability, Reliability and Security, pp. 711â718 (2015)
Arora, A., Telang, R.: Economics of software vulnerability disclosure. IEEE Secur. Priv. 3(1), 20â25 (2005)
Arora, A., Krishnan, R., Telang, R., Yang, Y.: An empirical analysis of software vendorsâ patch release behavior: impact of vulnerability disclosure. Inf. Syst. Res. 21(1), 115â132 (2010)
Arora, A., Nandkumar, A., Telang, R.: Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Inf. Syst. Front. 8(5), 350â362 (2006). https://doi.org/10.1007/s10796-006-9012-5
Bergman, K.M.: A target to the heart of the first amendment: government endorsement of responsible disclosure as unconstitutional. Northwest. J. Technol. Intellect. Property 13, 38 (2015)
Bilge, L., DumitraĆ, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 833â844. ACM, New York (2012)
Böhme, R.: Vulnerability markets. Proc. 22C3 27, 30 (2005)
Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: MĂŒller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298â311. Springer, Heidelberg (2006). https://doi.org/10.1007/11766155_21
Breindenbach, L., Daian, P., Tramer, F., Juels, A.: Enter the hydra: towards principled bug bounties and exploit-resistant smart contracts. In: 27th USENIX Security Symposium, pp. 1335â1352 (2018)
Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Softw. Eng. 33(3), 171â185 (2007)
Chatfield, A.T., Reddick, C.G.: Cybersecurity innovation in government: a case study of U.S. Pentagonâs vulnerability reward program. In: Proceedings of the 18th Annual International Conference on Digital Government Research - DGO 2017, Staten Island, NY, USA, pp. 64â73. ACM Press (2017)
Chatfield, A.T., Reddick, C.G.: Crowdsourced cybersecurity innovation: the case of the Pentagonâs vulnerability reward program. Inf. Polity 23(2), 177â194 (2018)
Choi, J.P., Fershtman, C., Gandal, N.: Network security: vulnerabilities and disclosure policy*. J. Ind. Econ. 58(4), 868â894 (2010)
De Gregorio, A.: Vulnerabilities and their surrounding ethical questions: a code of ethics for the private sector. In: 2016 International Conference on Cyber Conflict (CyCon U.S.), pp. 1â4 (2016)
Egelman, S., Herley, C., van Oorschot, P.C.: Markets for zero-day exploits: ethics and implications. In: Proceedings of the 2013 Workshop on New Security Paradigms Workshop - NSPW 2013, Banff, Alberta, Canada, pp. 41â46. ACM Press (2013)
Elazari Bar On, A.: Private ordering shaping cybersecurity policy: the case of bug bounties. SSRN Scholarly Paper ID 3161758, Social Science Research Network, Rochester, NY (2018)
Esteves, J., Ramalho, E., Haro, G.D.: To improve cybersecurity, think like a hacker. MIT Sloan Manage. Rev. 58(3), 71 (2017)
Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: 22nd USENIX Security Symposium, pp. 273â288 (2013)
Freeman, E.: Vulnerability disclosure: the strange case of Bret McDanel. Inf. Syst. Secur. 16(2), 127â131 (2007)
Fryer, H., Simperl, E.: Web science challenges in researching bug bounties. In: Proceedings of the 9th ACM Conference on Web Science, WebSci 2017, pp. 273â277. ACM (2017)
Guo, M., Hata, H., Babar, A.: Revenue maximizing markets for zero-day exploits. In: Baldoni, M., Chopra, A.K., Son, T.C., Hirayama, K., Torroni, P. (eds.) PRIMA 2016. LNCS (LNAI), vol. 9862, pp. 247â260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44832-9_15
Hahn, A., Govindarasu, M.: Cyber vulnerability disclosure policies for the smart grid. In: 2012 IEEE Power and Energy Society General Meeting, pp. 1â5 (2012)
Hata, H., Guo, M., Babar, M.A.: Understanding the heterogeneity of contributors in bug bounty programs. In: 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 223â228 (2017)
Huang, C., Liu, J., Fang, Y., Zuo, Z.: A study on Web security incidents in China by analyzing vulnerability disclosure platforms. Comput. Secur. 58, 47â62 (2016)
Huang, K., Zhang, J., Tan, W., Feng, Z.: Shifting to mobile: network-based empirical study of mobile vulnerability market. IEEE Trans. Serv. Comput. 13(1), 144â157 (2018)
Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: Proceedings of the International Conference on Security and Management, p. 7 (2011)
Kannan, K., Telang, R., Xu, H.: Economic analysis of the market for software vulnerability disclosure. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, p. 8 (2004)
Kannan, K., Telang, R.: Market for software vulnerabilities? Think again. Manage. Sci. 51(5), 726â740 (2005). https://www.jstor.org/stable/20110369
Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. EBSE Technical report (2007)
Kitchenham, B.A., Budgen, D., Brereton, O.P.: Using mapping studies as the basis for further research - a participant-observer case study. Inf. Softw. Technol. 53(6), 638â651 (2011). Special Section: Best papers from the APSEC
Kuehn, A., Mueller, M.: Shifts in the cybersecurity paradigm: zero-day exploits, discourse, and emerging institutions. In: Proceedings of the 2014 New Security Paradigms Workshop, pp. 63â68. ACM, New York (2014)
Laszka, A., Zhao, M., Grossklags, J.: Banishing misaligned incentives for validating reports in bug-bounty platforms. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 161â178. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_9
Laszka, A., Zhao, M., Malbari, A., Grossklags, J.: The rules of engagement for bug bounty programs. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 138â159. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_8
Li, P., Rao, H.R.: An examination of private intermediariesâ roles in software vulnerabilities disclosure. Inf. Syst. Front. 9(5), 531â539 (2007). https://doi.org/10.1007/s10796-007-9047-2
Li, Z., Liao, Q.: Economic solutions to improve cybersecurity of governments and smart cities via vulnerability markets. Gov. Inf. Q. 35(1), 151â160 (2018)
Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs. J. Cybersecur. 3(2), 81â90 (2017)
Mangalaraj, G.A., Raja, M.K.: Software vulnerability disclosure and its impact on exploitation: an empirical study. In: Proceedings of AMCIS 2005, p. 9 (2005)
Marconato, G.V., Nicomette, V., KaĂąniche, M.: Security-related vulnerability life cycle analysis. In: 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1â8 (2012)
Matwyshyn, A.M.: Hacking speech: informational speech and the first amendment. Northwestern University Law Review, p. 52 (2013)
Maxwell, P.: Stockpiling zero-day exploits: the next international weapons taboo. In: Proceedings of 5th International Conference on Management Leadership and Governance, p. 8 (2017)
McQueen, M., Wright, J.L., Wellman, L.: Are vulnerability disclosure deadlines justified? In: 2011 Third International Workshop on Security Measurements and Metrics, pp. 96â101 (2011)
Munaiah, N., Meneely, A.: Vulnerability severity scoring and bounties: why the disconnect? In: Proceedings of the 2nd International Workshop on Software Analytics, SWAN, Seattle, WA, USA, pp. 8â14. ACM, New York (2016)
Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE Symposium on Security and Privacy, pp. 692â708 (2015)
Nizovtsev, D., Thursby, M.: To disclose or not? An analysis of software user behavior. Inf. Econ. Policy 19(1), 43â64 (2007)
Pandey, P., Snekkenes, E.A.: An assessment of market methods for information security risk management. In: Proceedings of 16th IEEE International Conference on High Performance and Communications (2014)
Radianti, J., Gonzalez, J.J.: Understanding hidden information security threats: the vulnerability black market. In: 2007 40th Annual Hawaii International Conference on System Sciences (HICSSâ07), p. 156c (2007)
Ransbotham, S., Mitra, S., Ramsey, J.: Are Markets for Vulnerabilities Effective? MIS Q. 36(1), 43â64 (2012)
Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. Mag. 3(1), 14â19 (2005)
Robinson, D.G., Halderman, J.A.: Ethical issues in e-voting security analysis. In: Danezis, G., Dietrich, S., Sako, K. (eds.) FC 2011. LNCS, vol. 7126, pp. 119â130. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29889-9_10
Ruohonen, J., Holvitie, J., Hyrynsalmi, S., LeppĂ€nen, V.: Exploring the clustering of software vulnerability disclosure notifications across software vendors. In: 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pp. 1â8 (2016)
Ruohonen, J., Hyrynsalmi, S., LeppÄnen, V.: Trading exploits online: a preliminary case study. In: 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS), pp. 1â12 (2016)
Ruohonen, J., Allodi, L.: A bug bounty perspective on the disclosure of web vulnerabilities. In: Proceedings of 17th Annual Workshop on the Economics of Information Security (2018)
Sipes, E.K., James, J., Zetoony, D.: Current data security issues for financial services firms. J. Invest. Compliance 17(3), 55â59 (2016)
Sprague, C., Wagner, J.: Economic motivations for software bug bounties. Econ. Bull. 38(1), 550â557 (2018)
Stevens, R.: Identifying self-inflicted vulnerabilities: the operational implications of technology within U.S. combat systems. In: 2017 International Conference on Cyber Conflict (CyCon U.S.), pp. 112â118 (2017)
Stockton, P.N., Golabek-Goldman, M.: Curbing the market for cyber weapons. Policy Rev. 32, 29 (2013)
SuĂĄrez, R.A., Scott, D.: Doing what is right with coordinated vulnerability disclosure. Biomed. Instrum. Technol. 51(s6), 42â45 (2017)
Takanen, A., VuorijĂ€rvi, P., Laakso, M., Röning, J.: Agents of responsibility in software vulnerability processes. Ethics Inf. Technol. 6(2), 93â110 (2004). https://doi.org/10.1007/s10676-004-1266-3
Telang, R., Wattal, S.: Impact of software vulnerability announcements on the market value of software vendors - an empirical investigation. SSRN Scholarly Paper, Social Science Research Network (2005)
Wang, B., Li, X., de Aguiar, L.P., Menasche, D.S., Shafiq, Z.: Characterizing and modeling patching practices of industrial control systems. In: Proceedings of the 2017 ACM SIGMETRICS/International Conference on Measurement and Modeling of Computer Systems, p. 9. ACM, New York (2017)
Wolf, M.J., Fresco, N.: Ethics of the software vulnerabilities and exploits market. Inf. Soc. 32(4), 269â279 (2016)
Younis, A., Malaiya, Y.K., Ray, I.: Evaluating CVSS base score using vulnerability rewards programs. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 62â75. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_5
Zhao, M., Grossklags, J., Chen, K.: An exploratory study of white hat behaviors in a web vulnerability disclosure program. In: Proceedings of the 2014 ACM Workshop on Security Information Workers, pp. 51â58. ACM, New York (2014)
Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1105â1117. ACM (2015)
Zhao, M., Laszka, A., Grossklags, J.: Devising effective policies for bug-bounty platforms and security vulnerability discovery. J. Inf. Policy 7, 372â418 (2017)
Zhao, M., Laszka, A., Maillart, T., Grossklags, J.: Crowdsourced security vulnerability discovery: modeling and organizing bug-bounty programs. In: The HCOMP Workshop on Mathematical Foundations of Human Computation, Austin (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
This appendix maps each publication included in the mapping study to the categories it was included in, product owner (PO), crowd (CR), and market mechanisms (MM).
Ref | Publication | PO | CR | MM |
---|---|---|---|---|
1 | âIs There a Cost to Privacy Breaches? An Event Studyâ, Acquisti, A., Friedman, A., Telang, R | X | Â | Â |
2 | âFriendly Hackers to the Rescue: How Organizations Perceive Crowdsourced Vulnerability Discoveryâ, Al-Banna, M., Benatallah, B., Schlagwein, D., Bertino, E., Barukh, M.C | X | Â | Â |
3 | âMost successful vulnerability discoverers: Motivation and methodsâ, Algarni, A.M., Malaiya, Y.K | Â | X | Â |
4 | âSoftware Vulnerability Markets: Discoverers And Buyers, Algarni, A.M., Malaiya, Y.K | Â | X | Â |
5 | âEconomic Factors of Vulnerability Trade and Exploitationâ, Allodi, L | Â | Â | X |
6 | âComparing Vulnerability Severity and Exploits Using Case-Control Studiesâ, Allodi, L., Massacci, F | X | Â | Â |
7 | âThe Economics of Information Securityâ, Anderson, R., Moore, T | X | Â | X |
8 | âWindows of vulnerability: a case study analysisâ, Arbaugh, W.A., Fithen, W.L., McHugh, J | X | Â | Â |
9 | â0-Day Vulnerabilities and Cybercrimeâ, Armin, J., Foti, P. Cremonini, M | Â | Â | X |
10 | âEconomics of software vulnerability disclosureâ, Arora, A., Telang, R | X | Â | Â |
11 | âAn Empirical Analysis of Software Vendorsâ Patch Release Behavior: Impact of Vulnerability Disclosureâ, Arora, A., Krishnan, R., Telang, R., Yang, Y., | X | Â | Â |
12 | âDoes information security attack frequency increase with vulnerability disclosure? An empirical analysisâ, Arora, A., Nandkumar, A., Telang, R., | X | Â | Â |
13 | âA Target to the Heart of the First Amendment: Government Endorsement of Responsible Disclosure as Unconstitutionalâ, Bergman, K | Â | Â | X |
14 | âBefore We Knew It: An Empirical Study of Zero-day Attacks in the Real Worldâ, Bilge, L., DumitraĆ, T | X | Â | Â |
15 | âVulnerability marketsâ, Böhme, R |  |  | X |
16 | âA Comparison of Market Approaches to Software Vulnerability Disclosureâ, Böhme, R |  |  | X |
17 | âEnter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contractsâ, Breindenbach, L., Daian, P., Tramer, F., Juels, A., | X | Â | Â |
18 | âEfficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledgeâ, Cavusoglu, H., Cavusoglu, H. Raghunathan, S | X | Â | Â |
19 | âCybersecurity Innovation in Government: A Case Study of U.S. Pentagonâs Vulnerability Reward Programâ, Chatfield, A.T., Reddick, C.G | X | Â | Â |
20 | âCrowdsourced cybersecurity innovation: The case of the Pentagonâs vulnerability reward programâ, Chatfield, A.T., Reddick, C.G | X | Â | Â |
21 | âNetwork Security: Vulnerabilities and Disclosure Policyâ, Choi, Jay Pil; Fershtman, C., Gandal, N | X | Â | Â |
22 | âVulnerabilities and their surrounding ethical questions: a code of ethics for the private sectorâ, De Gregorio, A | Â | X | Â |
23 | âMarkets for zero-day exploits: ethics and implicationsâ, Egelman, S., Herley, C., van Oorschot, P.C | Â | Â | X |
24 | âPrivate Ordering Shaping Cybersecurity Policy: The Case of Bug Bountiesâ, Elazari Bar On, A | X | Â | Â |
25 | âTo Improve Cybersecurity, Think Like a Hackerâ, Esteves, J., Ramalho, E., De Haro, G | X | Â | Â |
26 | âAn Empirical Study of Vulnerability Rewards Programsâ, Finifter, M., Akhawe, D., Wagner, D | X | Â | Â |
27 | âVulnerability Disclosure: The Strange Case of Bret McDanelâ, Freeman, E | X | Â | Â |
28 | âWeb science challenges in researching bug bountiesâ, Fryer, H., Simperl, E., Fryer, H., Simperl, E | X | Â | Â |
29 | âRevenue Maximizing Markets for Zero-Day Exploitsâ, Guo, M., Hata, H., Babar, A | Â | Â | X |
30 | âCyber vulnerability disclosure policies for the smart gridâ, Hahn, A., Govindarasu, M | X | Â | Â |
31 | âUnderstanding the Heterogeneity of Contributors in Bug Bounty Programsâ, Hata, H., Guo, M., Babar, M. A | Â | X | Â |
32 | âA study on Web security incidents in China by analyzing vulnerability disclosure platformsâ, Huang, C., Liu, J., Fang, Y., Zuo, Z., | Â | X | Â |
33 | âShifting to Mobile: Network-based Empirical Study of Mobile Vulnerability Marketâ, Huang, K., Zhang, J., Tan, W., Feng, Z | Â | X | X |
34 | âDefining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metricsâ, Joh, H., Malaiya, Y.K | X | Â | Â |
35 | âEconomic analysis of the market for software vulnerability disclosureâ, Kannan, K., Telang R | Â | Â | X |
36 | âMarket for Software Vulnerabilities? Think Againâ, Kannan, K., Telang, R | Â | Â | X |
39 | âShifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutionsâ, Kuehn, A., Mueller, M | Â | Â | X |
40 | âBanishing Misaligned Incentives for Validating Reports in Bug-Bounty Platformsâ, Laszka, A., Zhao, M., Grossklags, J | X | Â | Â |
41 | âThe Rules of Engagement for Bug Bounty Programsâ, Laszka, A., Zhao, M., Malbari, A., Grossklags, J | X | Â | Â |
42 | âAn examination of private intermediariesâ roles in software vulnerabilities disclosureâ, Li, P., Rao, H.R | Â | Â | X |
43 | âEconomic solutions to improve cybersecurity of governments and smart cities via vulnerability marketsâ, Li, Z., Liao, Q | Â | Â | X |
44 | âGiven enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programsâ, Maillart, T., Zhao, M., Grossklags, J., Chuang, J | X | X | Â |
45 | âSoftware Vulnerability Disclosure and its Impact on Exploitation: An Empirical Studyâ, Mangalaraj, G.A., Raja, M.K | X | Â | Â |
46 | âSecurity-related vulnerability life cycle analysisâ, Marconato, G. V., Nicomette, V., KaĂąniche, M | X | Â | Â |
47 | âHacking Speech: Informational Speech and the First Amendmentâ, Matwyshyn, A.M | Â | Â | X |
48 | âStockpiling Zero-Day Exploits: The Next International Weapons Tabooâ, Maxwell, P | Â | Â | X |
49 | âAre Vulnerability Disclosure Deadlines Justified?â, McQueen, M., Wright, J. L., Wellman, L | X | Â | Â |
50 | âVulnerability Severity Scoring and Bounties: Why the Disconnect?â, Munaiah, N., Meneely, A | Â | Â | X |
51 | âThe Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patchingâ, Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T | X | Â | Â |
52 | âTo disclose or not? An analysis of software user behaviorâ, Nizovtsev, D., Thursby, M., | X | X | Â |
53 | âAn Assessment of Market Methods for Information Security Risk Managementâ, Pandey, P., Snekkenes, E.A | Â | Â | X |
54 | âUnderstanding Hidden Information Security Threats: The Vulnerability Black Marketâ, Radianti, J., Gonzalez, J.J | Â | Â | X |
55 | âAre Markets for Vulnerabilities Effective?â, Ransbotham, S., Mitra, S., Ramsey, J | Â | Â | X |
56 | âIs finding security holes a good idea?â, Rescorla, E | X | Â | Â |
57 | âEthical Issues in E-Voting Security Analysisâ, Robinson, D.G., Halderman, J.A | Â | X | Â |
58 | âExploring the clustering of software vulnerability disclosure notifications across software vendorsâ, Ruohonen, J., Holvitie, J., Hyrynsalmi, S., LeppĂ€nen, V | X |  |  |
59 | âTrading exploits online: A preliminary case studyâ, Ruohonen, J., Hyrynsalmi, S., LeppĂ€nen, V |  |  | X |
60 | âA Bug Bounty Perspective on the Disclosure of Web Vulnerabilitiesâ, Ruohonen, J., Allodi, L | Â | Â | X |
61 | âCurrent data security issues for financial services firmsâ, Sipes, E.K., James, J., Zetoony, D | X | Â | Â |
62 | âEconomic Motivations for Software Bug Bountiesâ, Sprague, C., Wagner, J | Â | Â | X |
63 | âIdentifying self-inflicted vulnerabilities: The operational implications of technology within U.S. combat systemsâ, Stevens, R | X | Â | Â |
64 | âCurbing the Market for Cyber Weaponsâ, Stockton, P.N.; Golabek-Goldman, M | Â | Â | X |
65 | âDoing What Is Right with Coordinated Vulnerability Disclosureâ, SuĂĄrez, R.A., Scott, D | X | Â | Â |
66 | âAgents of responsibility in software vulnerability processesâ, Takanen, A., VuorijĂ€rvi, P., Laakso, M., Röning, J | X |  |  |
67 | âImpact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigationâ, Telang, R., Wattal, S | X | Â | Â |
68 | âCharacterizing and Modeling Patching Practices of Industrial Control Systemsâ, Wang, B., Li, X., de Aguiar, L.P., Menasche, D.S., Shafiq, Z | X | Â | Â |
69 | âEthics of the software vulnerabilities and exploits marketâ, Wolf, M.J., Fresco, N | Â | Â | X |
70 | âEvaluating CVSS Base Score Using Vulnerability Rewards Programsâ, Younis, A., Malaiya, Y., Ray, I | X | Â | Â |
71 | âAn Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Programâ, Zhao, M., Grossklags, J., Chen, K | X | X | Â |
72 | âAn Empirical Study of Web Vulnerability Discovery Ecosystemsâ, Zhao, M., Grossklags, J., Liu, P | Â | X | Â |
73 | âDevising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discoveryâ, Zhao, M., Laszka, A., Grossklags, J | X | Â | Â |
74 | âCrowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programsâ, Zhao, M., Laszka, A., Maillart, T., Grossklags, J | X | X | Â |
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Magazinius, A., MellegĂ„rd, N., Olsson, L. (2021). What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping Study. In: GroĂ, T., Tryfonas, T. (eds) Socio-Technical Aspects in Security and Trust. STAST 2019. Lecture Notes in Computer Science(), vol 11739. Springer, Cham. https://doi.org/10.1007/978-3-030-55958-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-55958-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55957-1
Online ISBN: 978-3-030-55958-8
eBook Packages: Computer ScienceComputer Science (R0)