Jens Grossklags, Assistant Research Professor, University of Pennsylvania, USA
In recent years, many organizations have established bounty programs that attract white hat hackers who contribute vulnerability reports of web systems. In this talk, I will present findings about two representative web vulnerability discovery ecosystems (Wooyun and HackerOne) and discuss their characteristics, trajectory, and impact. Both ecosystems include large and continuously growing white hat communities which have provided significant contributions to organizations from a wide range of business sectors. I will also present results about vulnerability trends, response and resolve behaviors, and reward structures of participating organizations. The analysis based on the HackerOne dataset reveals that a considerable number of organizations exhibit decreasing trends for reported web vulnerabilities. With a regression study, I will also show that monetary incentives have a significantly positive correlation with the number of vulnerabilities reported. Finally, I will make recommendations aimed at increasing participation by white hats and organizations in such ecosystems. (The talk is based on joint work with Mingyi Zhao, Aron Laszka, Thomas Maillart, and Peng Liu.)