Design of Bug Bounty Schemes

Status:

This project started in Fall 2022 and is ongoing.

Researchers:

Prof. Dr. Hans Gersbach (ETH)
Dr. Hugo van Buggenum (ETH)

Industry Partner:

Swiss Post

Description:

Softwares often have security vulnerabilities and can be attacked by adversaries, with potentially significant negative social or economic consequences. To protect themselves, organizations traditionally invest significant resources into building and maintaining dedicated security teams. In recent years, however, systems have increased in complexity and internal teams are no longer adequately addressing potential vulnerabilities. It may be that 50% of all bugs are not found internally.

Given this, organizations have increasingly relied on bug bounty programs, where external individuals probe the systems and report any vulnerabilities (bug) in exchange for monetary rewards (bounty). In addition to tech companies and blockchains, recent successes in these programs have led authorities to systematically adopt bug bounty as a main measure in their government’s cybersecurity. For example, the Federal Council of Switzerland states in a recent press release that “standardized security tests are no longer sufficient to uncover hidden loopholes. Therefore, in the future, it is intended that ethical hackers will search through the Federal Administration’s productive IT system and applications for vulnerabilities as part of so-called bug bounty programmes.”

Despite its growing importance, however, the design of bug bounty schemes in softwares and blockchains has not been the focus of economic research. Our project aims to offer insights into some of the dimensions of bug bounty design with tools from game theory and mechanism design.

Specifically, we build foundational models to study bug bounty schemes. We focus on important design variables:

How large should the crowd of agents invited to find bugs be?
Should paid experts be added to the crowd of invited bug finders?
Should artificial bugs be added to the software to increase participation in bug finding?
How should prizes for real and artificial bugs be designed?
How should the existence of artificial bugs be communicated?
How should prizes for successful bug finding be determined?
How do entry checks and barriers regarding the reputation and past achievements of security researchers affect the probability of finding bugs?
Alternatively: would the opposite approach (only allowing greenhorns) be beneficial in a bug bounty scheme?
How can bug bounty programs be designed to attract able security researchers in the war for talented security researchers?
How can rewards (monetary, reputation, and career concerns) be optimally mixed in order to achieve the best balance between software security and costs of bug bounty schemes?

To answer these questions, we develop foundational models of crowd-search security and generate insights for bug bounty schemes for particular environments.

Specifically, we have developed two models and here are their summaries:

Crowdsearch (CEPR Discussion Paper No. 18529, Hans Gersbach, Akaki Mamageishvili, and Fikri Pitsuwan): A common phenomenon is crowdsearch, i.e. when a group of agents is invited to search for a valuable physical or virtual object, e.g. creating and patenting on an invention, solving an open scientific problem, searching for a vulnerability in softwares, or mining for a nonce in proof-of-work blockchains. We study a binary model of crowdsearch in which agents have different abilities to find the object. We characterize the types of equilibria and identify which type of crowd guarantees that the object is found. Sometimes even an unlimited crowd is not sufficient. It can happen that inviting more agents lowers the probability of finding the object, which may also happen when non-strategic agents are added. We characterize the optimal prize and show that having one prize (winner-takes-all) maximizes the probability of finding the object but this is not necessarily optimal for the crowdsearch designer.

Artificial Bugs for Bug Bounty (CEPR Discussion Paper No. 19047, Hans Gersbach, Fikri Pitsuwan, and Pio Blieske): Bug bounty programs, where external agents are invited to search and report vulnerabilities (bugs) in exchange for rewards (bounty), have become a major tool for companies to improve their systems. We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. Using a model of crowdsearch, we identify the efficiency gains by artificial bugs, and we show that for this, it is sufficient to insert only one artificial bug. Artificial bugs are particularly beneficial, for instance, if the designer places high valuations on finding organic bugs or if the budget for bounty is not sufficiently high. We discuss how to implement artificial bugs and outline their further benefits.

In the next step, we want to continue with studying how adding (known) bugs can be implemented in an easy way. Moreover, we will start examining competition for ethical hackers by several bug-bounty organizers, where we put specific attention on how an individual bug-bounty organizer can best position itself in a competitive environment.

Publications

H. Gersbach, A. Mamageishvili and F. Pitsuwan
Decentralized Attack Search and the Design of Bug Bounty Schemes
In Proceedings of the 16th International Symposium on Algorithmic Game Theory (SAGT), 2023 [pdf]

Hans Gersbach and Fikri Pitsuwan
Artificial bugs for enhanced cybersecurity
In VoxEU Column, 2024

Working Papers and Reprints:

Hans Gersbach, Fikri Pitsuwan, and Pio Blieske. Artificial Bugs for Bug Bounty. CEPR Discussion Paper No. 19047, 2024.
Hans Gersbach, Akaki Mamageishvili, and Fikri Pitsuwan. Crowdsearch. CEPR Discussion Paper No. 18529, 2023.
H. Gersbach, A. Mamageishvili and F. Pitsuwan, Decentralized Attack Search and the Design of Bug Bounty Schemes, Preprint, 2023 [pdf].

[1] www.admin.ch/gov/en/start/documentation/media-releases.msg-id-89868.html, accessed November 22, 2022.