Summary: | A growing number of organisations are utilising the skills of a global base of white-hat hackers
in order to identify pre- and post-deployment vulnerabilities. Despite the widespread adoption
of bug bounty programmes, there remain many uncertainties regarding the efficacy of this
relatively novel security activity, especially when considering their adoption alongside existing
software development lifecycles. This dissertation explores how bug bounty programmes can
be used to support data-driven software development lifecycles. To achieve this outcome, the
dissertation presents four distinct contributions.
The first contribution concerns the usage of Crowdsourced Vulnerability Discovery (CVD)
(of which bug bounty programmes are a part) within organisations. This includes the presentation of expert opinion pertaining to the benefits and shortcomings of existing approaches,
and identification of the extent to which CVD programmes are used in software development
lifecycles.
The second contribution explores the benefits and drawbacks of hosting a programme on
a bug bounty platform (a centralised repository of programmes operated by a third party).
Empirical analysis of operating characteristics helps address concerns around the long-term
viability of programme operation, and allows for a comparison to be made between the cost of
expanding a security team and the cost of running a programme.
The third contribution examines the extent to which participating in the search for vulnerabilities is a viable long-term strategy for hackers based on bug bounty platforms. The results
demonstrate that participation is infeasible, even on a short-term basis, for significant numbers
of hackers, highlighting the shortcomings of the current approach used by platforms.
Building on the first three, the fourth contribution explores CVD programme policies, and
the extent to which pertinent information, particularly in reference to legal constraints, is
communicated to hackers. A systematic review reveals the commonplace elements that form
current policy documents, enabling organisations to identify gaps within their own programme
policies and form policies that are consistent with peers.
|