Bug bounty programs are a new approach to pen-testing. Through them, organisations are willing to test their products taking advantage of hackers spread all over the world. So, the number of vulnerabilities found increases and the cost of detecting them becomes lower. To maintain some control over what hackers can do, organisations specify a set of rules. Through these rules, organisations try to limit the actions to be performed and to give confidence to ethical hackers conduct activities that are typically illegal without being worried with the risk of legal violations. This article presents an analysis of the current state of bug bounty programs. The analysis focuses on economic, ethical, and legal aspects and highlights several problems related to these aspects. Given the current state of these programs, it is important that national bodies responsible for cybersecurity, address the challenges imposed by these programs. National and international rules are needed to both ethically and legally protect the parties and contribute to regulate an activity that many still consider illegal. Without that, a set of alternative solutions to “legalize” them in an ad-hoc and unclear way will continue to proliferate creating ethical and legal problems.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others ReferencesBannister A (2020) Bug bounty earnings soar, but 63% with held security flaws study. Online, https://portswigger.net/daily-swig/bug-bounty-earnings-soar-but-63-of-ethical-hackers-have-withheld-security-flaws-study
Böhme R (2006) A comparison of market approaches to software vulnerability disclosure. In: Müller G (ed) Emerging trends in information and communication security, international conference, ETRICS 2006, Freiburg, Germany, June 6–9, 2006. Proceedings, Lecture Notes in Computer Science, vol 3995. Springer, pp 298–311. https://doi.org/10.1007/11766155_21
Culafi A (2021) Burned by apple, researchers mull selling zero days to brokers. Online, https://searchsecurity.techtarget.com/news/252508220/Burned-by-Apple-researchers-mull-selling-zero-days-to-brokers
Hata H, Guo M, Babar MA (2017) Understanding the heterogeneity of contributors in bug bounty programs. In: 2017 ACM/IEEE international symposium on empirical software engineering and measurement (ESEM). IEEE, pp 223–228
Laszka A, Zhao M, Malbari A, Grossklags J (2018) The rules of engagement for bug bounty programs. In: Meiklejohn S, Sako K (eds) Financial cryptography and data security. Springer, Berlin, pp 138–159
Lin MS (2016) Are China’s ‘ethical hackers’ cyber heroes or criminals? Online, http://english.caixin.com/2016–10-17/100997728.html
Malladi SS, Subramanian HC (2020) Bug bounty programs for cybersecurity: practices, issues, and recommendations. IEEE Softw 37(01):31–39. https://doi.org/10.1109/MS.2018.2880508
Salter J (2021) Three iOS 0-days revealed by researcher frustrated with apple’s bug bounty. Online, https://arstechnica.com/information-technology/2021/09/three-ios-0-days-revealed-by-researcher-frustrated-with-apples-bug-bounty/
Shafigh S, Benatallah B, Rodríguez C, Al-Banna M (2021) Why some bug-bounty vulnerability reports are invalid? study of bug-bounty reports and developing an out-of-scope taxonomy model. In: Proceedings of the 15th ACM/IEEE international symposium on empirical software engineering and measurement (ESEM), ESEM ‘21. Association for Computing Machinery, New York. https://doi.org/10.1145/3475716.3484193
Sivagnanam A, Atefi S, Ayman A, Grossklags J, Laszka A (2021) On the benefits of bug bounty programs: a study of chromium vulnerabilities. In: Workshop on the Economics of Information Security (WEIS)
Sridhar K, Ng M (2021) Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties. J Cybersecur 7(1):tyab007. https://doi.org/10.1093/cybsec/tyab007
Walshe T, Simpson A (2020) An empirical study of bug bounty programs. In: 2020 IEEE 2nd international workshop on intelligent bug fixing (IBF), pp 35–44. https://doi.org/10.1109/IBF50092.2020.9034828
WSJ (2016) China’s ‘white-hat’ hackers fear dark times after community founde ris detained. Wall Street J. https://www.wsj.com/articles/BL-CJB-29440
Zhao M, Laszka A, Grossklags J (2017) Devising effective policies for bug-bounty platforms and security vulnerability discovery. J Inf Policy 7:372–418. http://www.jstor.org/stable/10.5325/jinfopoli.7.2017.0372
CIICESI, Escola Superior de Tecnologia e Gestão, Politécnico do Porto, Porto, Portugal
João Paulo Magalhães
Correspondence to João Paulo Magalhães .
Editor information Editors and AffiliationsSchool of Law, University of Minho, Braga, Portugal
Francisco António Carneiro Pacheco de Andrade
Faculty of Law Oporto, Catholic University of Portugal, Porto, Portugal
Pedro Miguel Fernandes Freitas
School of Law, University of Minho, Braga, Portugal
Joana Rita de Sousa Covelo de Abreu
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter Cite this chapterMagalhães, J.P. (2024). Bug Bounties: Ethical and Legal Aspects. In: Carneiro Pacheco de Andrade, F.A., Fernandes Freitas, P.M., de Sousa Covelo de Abreu, J.R. (eds) Legal Developments on Cybersecurity and Related Fields. Law, Governance and Technology Series, vol 60. Springer, Cham. https://doi.org/10.1007/978-3-031-41820-4_14
Download citationDOI: https://doi.org/10.1007/978-3-031-41820-4_14
Published: 07 February 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41819-8
Online ISBN: 978-3-031-41820-4
eBook Packages: Law and CriminologyLaw and Criminology (R0)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3