Bug bounties can increase the breadth – and the effectiveness – of white hat communities.
White hat hackers have been making significant contributions to cybersecurity by detecting vulnerabilities in companies’ software systems and websites and communicating their findings, according to a recent research project at Penn State.
Long used by agencies for penetration and vulnerability testing, white hat or ethical hacking helps organizations find holes and bugs in software, digital devices and networks, thereby better securing the online world.
Researchers at Penn State’s College of Information Sciences and Technology (IST) studying white hat behaviors suggest that organizations that reward hackers who uncover vulnerabilities in their systems could improve the bug discovery process by expanding and adding diversity to their white hat communities.
The research to understand how the white hat "market" functions was undertaken by Jens Grossklags, an assistant professor at Penn State's College of Information Sciences and Technology; Mingyi Zhao, a doctoral student at the college; and Kai Chen, a postdoctoral scholar currently at the Chinese Academy of Sciences.
Their paper, "An Exploratory Study of White Behaviors in a Web Vulnerability Disclosure Program" used a dataset from WooYun.org, the "predominant" Web vulnerability disclosure program in China. The data encompassed contributions filed since the site's launch in 2010 from 3,254 white hat hackers from around the world and the 16,446 vulnerability reports they filed about 4,269 web sites.
WooYun follows a process similar to other such community sites. Those who submit reports to WooYun receive no compensation. Once WooYun checks out the severity of a report, it informs the administrators of the affected site and gives them two months to fix it. Only after the fix is made will WooYun disclose the vulnerability.
The researchers found that the top contributors to Wooyun posted only a fraction of all vulnerability reports to the site and that less active hackers also contributed high-quality vulnerability reports. Their conclusion: that the community as a whole, rather than a few expert white hats, plays a key role for vulnerability discovery.
This finding could influence how major Web companies — Google, Facebook and others — handle their own white hat operations. Currently, these operators often use a "vulnerability award program" (VRP) or "bug bounties" to encourage the white hat community to uncover potential problems in their software. They also use the services of crowdsourcing companies such as HackerOne and BugCrowd, which act as liaisons between white hats and software companies.
Based on preliminary results of the WooYun research, Grossklags, Zhao and Chen suggest that managers of company vulnerability programs "should not only focus on the top contributors, but also try to attract as many white hats as possible as contributors. More participation would likely translate [into] more diversity during the search process and more discoveries."
Undertaking that, however, may require new mechanisms for working with white hats, such as a program with a search tool that could help reduce the likelihood that contributors would report on the same vulnerability and the disclosure of more technical details of past vulnerabilities, "so that white hats can learn from others' findings."
As the researchers pointed out in their report, "Wooyun's full disclosure model, which allows the reading of the white hats' comments in the vulnerability reports, likely helps new and even experienced white hats to learn."