EAGER: SaTC: Early-Stage Interdisciplinary Collaboration: Improving the Bug Bounty System

EAGER：SaTC：早期跨学科合作：改进错误赏金系统

• 批准号: 1915815
• 负责人: Ryan Ellis
• 金额: $ 30万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2023-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1915815&HistoricalAwards=false
• 关键词: EAGER; SaTC; Early; Stage; Interdisciplinary

Bug bounty programs were once a novel way to encourage security researchers to report vulnerabilities. They are now common. Hundreds of organizations--from car manufactures to the Department of Defense--now operate bug bounty programs that purchase flaws from independent vulnerability researchers. Yet, while bug bounty programs are widely viewed as a promising strategy for reducing software attack surfaces, unsolved social and technological issues can limit the efficacy of these programs. This project uses detailed interviews with market participants and associated research to examine how bugs are identified, sold, and mitigated. It seeks to identify the persistent challenges that confront the market. The insights generated through this interdisciplinary inquiry will inform the development of innovative social and technical mechanisms that can help improve bounty programs for vulnerability researchers, program operators, and society at large. The project follows the life stages of a commercial bug: examining how bugs are discovered, sold, and mitigated. It takes commercial bugs to be sociotechnical artifacts that are situated within a web of social and technical processes. The project is interdisciplinary: it focuses on an often overlooked form of infrastructure labor--the work of discovering, selling, and fixing bugs--from the perspective of workers; and it explores how technical solutions might provide accountability into the market. The project employs interviews with market participants, review of legal and administrative data, and analysis of technical artifacts in order to better understand the barriers and frictions that dot the market. Insights developed through market observation and analysis will inform technical work to explore the design of a novel, decentralized, and trustworthy bug bounty platform. This platform will serve as a technological substrate that protects the interests of different participants in the bug bounty ecosystem.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

漏洞赏金计划曾经是鼓励安全研究人员报告漏洞的一种新颖方式。它们现在很常见。从汽车制造商到国防部，数百个组织现在都在运作漏洞赏金计划，从独立的漏洞研究人员那里购买漏洞。然而，尽管漏洞赏金计划被广泛认为是减少软件攻击面的一种有前途的策略，但未解决的社会和技术问题可能会限制这些计划的有效性。该项目使用与市场参与者的详细访谈和相关研究来检查如何识别，销售和缓解错误。它旨在确定市场面临的持续挑战。通过这种跨学科调查产生的见解将为创新的社会和技术机制的发展提供信息，这些机制可以帮助改善脆弱性研究人员，项目运营商和整个社会的赏金计划。 该项目遵循商业bug的生命阶段：检查bug是如何被发现、出售和缓解的。它把商业bug看作是社会技术工件，位于社会和技术过程的网络中。该项目是跨学科的：它从工人的角度关注一种经常被忽视的基础设施劳动形式--发现、销售和修复漏洞的工作;它还探讨了技术解决方案如何为市场提供问责制。该项目采用与市场参与者的访谈，审查法律的和行政数据，并分析技术工件，以更好地了解市场上的障碍和摩擦。通过市场观察和分析开发的见解将为技术工作提供信息，以探索设计一个新颖，分散和值得信赖的bug赏金平台。该平台将作为一个技术基础，保护漏洞赏金生态系统中不同参与者的利益。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Black-box Attacks Against Neural Binary Function Detection

• DOI: 10.1145/3607199.3607200
• 发表时间: 2022-08
• 期刊: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses
• 作者: Josh Bundt;Michael Davinroy;Ioannis Agadakos;Alina Oprea;W. Robertson

Bounty Everything: Hackers and the Making of the Global Bug Marketplace

赏金一切：黑客与全球漏洞市场的形成

• 发表时间: 2022
• 期刊: Data and Society
• 作者: Ellis, Ryan;Stevens, Yuan
• 通讯作者: Stevens, Yuan