CYSE201S Journal Thirteen

Posted by jrive020 on

A later module addresses cybersecurity policy through a social science framework.  At this point, attention can be drawn to one type of policy, known as bug bounty policies.  These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure.  To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills.  The policies relate to economics in that they are based on cost/benefits principles.  Read this article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true and write a summary reaction to the use of the policies in your journal.  Focus primarily on the literature review and the discussion of the findings.

I think a policy of Bug Bounties is a great idea, albeit a somewhat dangerous one. You could reward those who want to legally look through a company’s source code and programming and eliminate the bugs before they’re leveraged for an intrusion attempts. By that same token, you could simply give hackers a chance to look for vulnerabilities in a code to exploit illegally. The bug bounty policy theoretically relies on cybersecurity professionals, both freelancers and current students, to research code for exploits, and report them for patching, for a bounty per bug (in the article, it mentions $800 per bounty). It would help negate the lack of manpower in a company’s computer science, and development departments by employing outside assistance in ironing out any issues the code may have.

I think it does a great job of breaking down and explaining the logic behind the Bug Bounty Policy, as well as proof of it’s effectiveness, both at protecting companies, and managing costs; it mentioned the year cost of the bug bounty policy being around $85K, “less than the salary of 2 in-house software engineers”.

In the end, they found that motivations varied between bug hunters, as well as the severity of those bugs; the more dangerous the bug, the higher risk there was to someone not reporting it, and potentially using it against them. More often than not though, people utilized the bug bounties for experience, and for monetary gain of course. They also found a company’s prestige, and income had no significant impact on the reports they received. This means that despite not having the well-known name, or financial resources of a company like Microsoft, smaller enterprises got just as much use out of a bug bounty policy as a larger enterprise. They did notice, however, a deviation in the kind of company that got reports; healthcare companies received fewer reports, while retail and financial firms receives less valid reports.

Overall, I think the bug bounty system is a great, cost-effective policy to have, yet a somewhat dangerous one as well. Of course, initial testing will iron out many dangerous kinks in a program’s coding, but those that are missed can be found by professionals, or IT professionals in training, to give them much needed experience, and help the company protect itself from Black Hat Hackers, who could scan the same program for weaknesses.

Leave a Reply

Your email address will not be published. Required fields are marked *