EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Improving the Bug Bounty System

EAGER:SaTC:早期跨学科合作:改进错误赏金系统

基本信息

  • 批准号:
    1915815
  • 负责人:
  • 金额:
    $ 30万
  • 依托单位:
  • 依托单位国家:
    美国
  • 项目类别:
    Standard Grant
  • 财政年份:
    2019
  • 资助国家:
    美国
  • 起止时间:
    2019-06-01 至 2023-05-31
  • 项目状态:
    已结题

项目摘要

Bug bounty programs were once a novel way to encourage security researchers to report vulnerabilities. They are now common. Hundreds of organizations--from car manufactures to the Department of Defense--now operate bug bounty programs that purchase flaws from independent vulnerability researchers. Yet, while bug bounty programs are widely viewed as a promising strategy for reducing software attack surfaces, unsolved social and technological issues can limit the efficacy of these programs. This project uses detailed interviews with market participants and associated research to examine how bugs are identified, sold, and mitigated. It seeks to identify the persistent challenges that confront the market. The insights generated through this interdisciplinary inquiry will inform the development of innovative social and technical mechanisms that can help improve bounty programs for vulnerability researchers, program operators, and society at large. The project follows the life stages of a commercial bug: examining how bugs are discovered, sold, and mitigated. It takes commercial bugs to be sociotechnical artifacts that are situated within a web of social and technical processes. The project is interdisciplinary: it focuses on an often overlooked form of infrastructure labor--the work of discovering, selling, and fixing bugs--from the perspective of workers; and it explores how technical solutions might provide accountability into the market. The project employs interviews with market participants, review of legal and administrative data, and analysis of technical artifacts in order to better understand the barriers and frictions that dot the market. Insights developed through market observation and analysis will inform technical work to explore the design of a novel, decentralized, and trustworthy bug bounty platform. This platform will serve as a technological substrate that protects the interests of different participants in the bug bounty ecosystem.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
漏洞赏金计划曾经是鼓励安全研究人员报告漏洞的一种新颖方式。它们现在很常见。从汽车制造商到国防部,数百个组织现在都在运作漏洞赏金计划,从独立的漏洞研究人员那里购买漏洞。然而,尽管漏洞赏金计划被广泛认为是减少软件攻击面的一种有前途的策略,但未解决的社会和技术问题可能会限制这些计划的有效性。该项目使用与市场参与者的详细访谈和相关研究来检查如何识别,销售和缓解错误。它旨在确定市场面临的持续挑战。通过这种跨学科调查产生的见解将为创新的社会和技术机制的发展提供信息,这些机制可以帮助改善脆弱性研究人员,项目运营商和整个社会的赏金计划。 该项目遵循商业bug的生命阶段:检查bug是如何被发现、出售和缓解的。它把商业bug看作是社会技术工件,位于社会和技术过程的网络中。该项目是跨学科的:它从工人的角度关注一种经常被忽视的基础设施劳动形式--发现、销售和修复漏洞的工作;它还探讨了技术解决方案如何为市场提供问责制。该项目采用与市场参与者的访谈,审查法律的和行政数据,并分析技术工件,以更好地了解市场上的障碍和摩擦。通过市场观察和分析开发的见解将为技术工作提供信息,以探索设计一个新颖,分散和值得信赖的bug赏金平台。该平台将作为一个技术基础,保护漏洞赏金生态系统中不同参与者的利益。该奖项反映了NSF的法定使命,并通过使用基金会的知识价值和更广泛的影响审查标准进行评估,被认为值得支持。

项目成果

期刊论文数量(3)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
Black-box Attacks Against Neural Binary Function Detection
Bounty Everything: Hackers and the Making of the Global Bug Marketplace
赏金一切:黑客与全球漏洞市场的形成
  • DOI:
  • 发表时间:
    2022
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Ellis, Ryan;Stevens, Yuan
  • 通讯作者:
    Stevens, Yuan
{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

数据更新时间:{{ journalArticles.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ monograph.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ sciAawards.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ conferencePapers.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ patent.updateTime }}

Ryan Ellis其他文献

Regulating Cybersecurity: Institutional Learning or a Lesson in Futility?
监管网络安全:制度学习还是徒劳的教训?
TEVAR in Connective Tissue Disease Patients is not a Definitive Option
  • DOI:
    10.1016/j.jvs.2024.06.106
  • 发表时间:
    2024-09-01
  • 期刊:
  • 影响因子:
  • 作者:
    Bryan D. Cass;Courtney Hanak;Ryan Ellis;Ahmed Sorour;Jon Quatromoni;Sean Lyden;Francis Caputo
  • 通讯作者:
    Francis Caputo
Fossil fuel interests in Puerto Rico: Perceptions of incumbent power and discourses of delay
波多黎各的化石燃料利益:对现有权力的看法和延迟的讨论
  • DOI:
    10.1016/j.erss.2024.103467
  • 发表时间:
    2024
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Laura Kuhl;Jennie C. Stephens;Carlos Arriaga Serrano;M. Pérez;C. Ortiz;Ryan Ellis
  • 通讯作者:
    Ryan Ellis
Centralizing cytoreductive surgery for ovarian cancer to high-volume centers: What is the impact of travel on patients? (2207)
将卵巢癌细胞减灭术集中到高容量中心:旅行对患者有什么影响?(2207)
  • DOI:
    10.1016/j.ygyno.2023.06.327
  • 发表时间:
    2023-09-01
  • 期刊:
  • 影响因子:
    4.100
  • 作者:
    Ryan Kahn;Xiaoyue Ma;Sushmita Gordhandas;Ryan Ellis;Xiuling Zhang;Emeline Aviki;Nadeem Abu-Rustum;Ginger Gardner;Yukio Sonoda;Oliver Zivanovic;Kara Long Roche;Elizabeth Jewell;Thomas Boerner;Dennis Chi
  • 通讯作者:
    Dennis Chi
Body morphometry may predict parastomal hernia following radical cystectomy with ileal conduit.
身体形态测量可以预测回肠导管根治性膀胱切除术后的造口旁疝。
  • DOI:
  • 发表时间:
    2024
  • 期刊:
  • 影响因子:
    4.5
  • 作者:
    Z. Lone;David Shin;Amy Nowacki;Rebecca A. Campbell;E. Haile;Andrew Wood;Kyle Harris;Ryan Ellis;Mohammed Eltemamy;Samuel C. Haywood;J. Kaouk;Steven C Campbell;Christopher J. Weight;Georges;Benjamin Miller;Clayton Petro;L. Beffa;Ajita Prabhu;Michael Rosen;Erick M. Remer;N. Almassi
  • 通讯作者:
    N. Almassi

Ryan Ellis的其他文献

{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

{{ truncateString('Ryan Ellis', 18)}}的其他基金

Making Security Work: Vulnerability Disclosure Programs (VDPs) and the Organizational Foundations of Cybersecurity
让安全发挥作用:漏洞披露计划 (VDP) 和网络安全的组织基础
  • 批准号:
    2203175
  • 财政年份:
    2022
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
RAPID International Type I: Collaborative Research: COVID Data Infrastructure Builders: Creating Resilient and Sustainable Research Collaborations
RAPID 国际 I 类:协作研究:新冠病毒数据基础设施建设者:创建有弹性和可持续的研究合作
  • 批准号:
    2109966
  • 财政年份:
    2021
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant

相似海外基金

EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Designing Trustworthy and Transparent Information Platforms
EAGER:SaTC:早期跨学科合作:设计值得信赖且透明的信息平台
  • 批准号:
    2128642
  • 财政年份:
    2021
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC-EDU: A Case- and Play-Based Learning Module for Cybersecurity and Artificial Intelligence Education for Early Teen Learners
EAGER:SaTC-EDU:针对早期青少年学习者的网络安全和人工智能教育的基于案例和游戏的学习模块
  • 批准号:
    2113803
  • 财政年份:
    2021
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC-EDU: Instilling a Mindset of Adversarial Thinking into Computer Science Courses Early and Often
EAGER:SaTC-EDU:尽早且经常地将对抗性思维方式灌输到计算机科学课程中
  • 批准号:
    2039354
  • 财政年份:
    2020
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Designing Trustworthy and Transparent Information Platforms
EAGER:SaTC:早期跨学科合作:设计值得信赖且透明的信息平台
  • 批准号:
    1915755
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Collaborative: Advances in Socio-Algorithmic Information Diversity
EAGER:SaTC:早期跨学科合作:协作:社会算法信息多样性的进展
  • 批准号:
    1915833
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Multi-regulation computation
EAGER:SaTC:早期跨学科合作:多规则计算
  • 批准号:
    1915763
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Privacy-Preserving Mobile Data Collection for Social and Behavioral Research
EAGER:SaTC:早期跨学科合作:用于社会和行为研究的隐私保护移动数据收集
  • 批准号:
    1915828
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Collaborative: Advances in Socio-Algorithmic Information Diversity
EAGER:SaTC:早期跨学科合作:协作:社会算法信息多样性的进展
  • 批准号:
    1949077
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Modeling Memory Illusion for Predicting Trust in Online Information
EAGER:SaTC:早期跨学科合作:建模记忆错觉以预测在线信息的信任
  • 批准号:
    1915801
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Developing the Concept of a Near Misses Analysis Capability and NTSB-Model for Cyber Incidents
EAGER:SaTC:早期跨学科合作:开发网络事件的未遂事件分析能力和 NTSB 模型的概念
  • 批准号:
    1915819
  • 财政年份:
    2019
  • 资助金额:
    $ 30万
  • 项目类别:
    Standard Grant
{{ showInfoDetail.title }}

作者:{{ showInfoDetail.author }}

知道了