Responsible Disclosure Best Practices
Disciplines
Information Security
Abstract (300 words maximum)
Data breaches are becoming commonplace in today's connected environment. Digital criminals are becoming smarter, more organized, and leveraging new technologies faster and more efficiently to identify and exploit vulnerabilities. Companies facing this exponentially expanding threat landscape, in addition to an evolving regulatory environment, are scrambling to protect their people, systems, applications, networks, and processes from both internal and external threats. Often, companies are breached many months or even years in advance of discovery, if it's discovered at all, making remediation of damages an uphill battle. Suffering a data breach exposes companies to fines, revenue loss, image tarnishing, and in extreme cases, bankruptcy. With such significant ramifications, companies are often incentivized to delay notification, or even go so far as to cover a breach up. Recent, highly publicized, large scale data breaches and resulting company behavior has led to discussions and legislation changes in both the public and private sector. In an effort to not only treat a symptom of the underlying problem, responsible disclosure/bug bounty programs have been deployed by companies to leverage the knowledge, skills and time of security researchers to proactively discover their vulnerabilities. These programs provide a safe way for researchers to report their findings, and in some cases, publicly and financially reward the individuals who responsibly disclose them.
Our research in progress will explore the necessity and best practices of responsible disclosure/bug bounty programs, by exploring the current programs in place at the top 20 Fortune 500 tech companies.
Primary Investigator (PI) Name
Andrew Green
Responsible Disclosure Best Practices
Data breaches are becoming commonplace in today's connected environment. Digital criminals are becoming smarter, more organized, and leveraging new technologies faster and more efficiently to identify and exploit vulnerabilities. Companies facing this exponentially expanding threat landscape, in addition to an evolving regulatory environment, are scrambling to protect their people, systems, applications, networks, and processes from both internal and external threats. Often, companies are breached many months or even years in advance of discovery, if it's discovered at all, making remediation of damages an uphill battle. Suffering a data breach exposes companies to fines, revenue loss, image tarnishing, and in extreme cases, bankruptcy. With such significant ramifications, companies are often incentivized to delay notification, or even go so far as to cover a breach up. Recent, highly publicized, large scale data breaches and resulting company behavior has led to discussions and legislation changes in both the public and private sector. In an effort to not only treat a symptom of the underlying problem, responsible disclosure/bug bounty programs have been deployed by companies to leverage the knowledge, skills and time of security researchers to proactively discover their vulnerabilities. These programs provide a safe way for researchers to report their findings, and in some cases, publicly and financially reward the individuals who responsibly disclose them.
Our research in progress will explore the necessity and best practices of responsible disclosure/bug bounty programs, by exploring the current programs in place at the top 20 Fortune 500 tech companies.