Getting Started with Vulnerability Disclosure and Bug Bounty Programs
Author(s): PASCARIU, Cristian
Author(s) keywords: Bug Bounty, Crowdsourcing, Vulnerability Disclosure
Reference keywords: bug bounty, system vulnerability, Vulnerability Disclosure Program
Abstract:
The raise in online platforms and services that organizations around the world offer has grown significantly, ensuring the information security of these platforms is a task of paramount importance. There are challenges in achieving this mainly due to the shortage of skilled security professionals and the growing number of online services that companies offer. This article focuses on the benefits of using Crowdsourcing security programs, such as Vulnerability Disclosure Programs (VDP) and Bug Bounty programs to complement the existing security assessments performed by organizations. These programs provide a way for organizations to better interact with the security community, gain valuable insight into the public security posture, improve the brand image by providing a mechanism in which security researchers can notify the organizations of imminent security risks.
References:
[1]. D. Evans, “How Zoom became so popular during social distancing,” April 2020, https://www.cnbc.com/2020/04/03/how-zoom-rose-to-the-top-during-the-coronavirus-pandemic.html.
[2]. Center for Internet Security, CIS Critical Security Control 16: Application Software Security, 2022, https://www.cisecurity.org/controls/application-software-security.
[3]. Center for Internet Security, CIS Critical Security Control 18: Penetration Testing, https://www.cisecurity.org/controls/penetration-testing.
[4]. G. Turcsányi, “Deep dive into the Equifax breach and a Struts vulnerability,” https://avatao.com/blog-deep-dive-into-the-equifax-breach-and-the-apache-struts-vulnerability/.
[5]. Bugcrowd, Vulnerability Disclosure Policy: What is It & Why is it Important?, May 2022, https://www.bugcrowd.com/blog/vulnerability-disclosure-policy-what-is-it-why-is-it-important/.
[6]. security.txt. A proposed standard which allows websites to define security policies, https://securitytxt.org.
[7]. RFC 9116. A File Format to Aid in Security Vulnerability Disclosure, April 2022, https://www.rfc-editor.org/rfc/rfc9116.
[8]. Bug Bounty Benefits | Why You Need a Bug Bounty Program, October 2021, https://www.hackerone.com/bounty/bug-bounty-benefits-why-you-need-bug-bounty-program.
[9]. 17 Best Bug Tracking Tools: Defect Tracking Tools of 2022, March 2022, https://www.softwaretestinghelp.com/popular-bug-tracking-software/.
[10]. T. Hunt, “Beg Bounties,” November 2021, https://www.troyhunt.com/beg-bounties/.
Article Title: Getting Started with Vulnerability Disclosure and Bug Bounty Programs
Author(s): PASCARIU, Cristian
Date of Publication: 2022-06-28
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225 e-ISSN: 2286-0096
Digital Object Identifier: 10.19107/IJISC.2022.01.03
Issue: Volume 11, Issue 1, Year 2022
Section: Studies and Analysis of Cybercrime Phenomenon
Page Range: 25-30 (6 pages)
Copyright ©2012-2025
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.