Related papers: A Deep Dive Into How Open-Source Project Maintainers Review and Resolve Bug Bounty Reports

A Deep Dive Into How Open-Source Project Maintainers Review and Resolve Bug Bounty Reports

URL: http://arxiv.org/abs/2409.07670v1
Date: Thu, 12 Sep 2024 00:15:21 GMT
Title: A Deep Dive Into How Open-Source Project Maintainers Review and Resolve Bug Bounty Reports
Authors: Jessy Ayala, Steven Ngo, Joshua Garcia,
Abstract summary: We primarily investigate the perspective of open-source software (OSS) maintainers who have used texttthuntr, a bug bounty platform. As a result, we categorize 40 identified characteristics into benefits, challenges, helpful features, and wanted features. We find that private disclosure and project visibility are the most important benefits, while hunters focused on money or CVEs and pressure to review are the most challenging to overcome.
Score: 6.814841205623832
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Researchers have investigated the bug bounty ecosystem from the lens of platforms, programs, and bug hunters. Understanding the perspectives of bug bounty report reviewers, especially those who historically lack a security background and little to no funding for bug hunters, is currently understudied. In this paper, we primarily investigate the perspective of open-source software (OSS) maintainers who have used \texttt{huntr}, a bug bounty platform that pays bounties to bug hunters who find security bugs in GitHub projects and have had valid vulnerabilities patched as a result. We address this area by conducting three studies: identifying characteristics through a listing survey ($n_1=51$), their ranked importance with Likert-scale survey data ($n_2=90$), and conducting semi-structured interviews to dive deeper into real-world experiences ($n_3=17$). As a result, we categorize 40 identified characteristics into benefits, challenges, helpful features, and wanted features. We find that private disclosure and project visibility are the most important benefits, while hunters focused on money or CVEs and pressure to review are the most challenging to overcome. Surprisingly, lack of communication with bug hunters is the least challenging, and CVE creation support is the second-least helpful feature for OSS maintainers when reviewing bug bounty reports. We present recommendations to make the bug bounty review process more accommodating to open-source maintainers and identify areas for future work.

Related papers

Investigating Vulnerability Disclosures in Open-Source Software Using Bug Bounty Reports and Security Advisories [6.814841205623832]
We conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports.
arXiv Detail & Related papers (2025-01-29T16:36:41Z)
4.5 Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Scams, and Malware [58.60545935390151]
We present a global, longitudinal measurement study of fake stars in GitHub. We build StarScout, a scalable tool able to detect anomalous starring behaviors. Our study has implications for platform moderators, open-source practitioners, and supply chain security researchers.
arXiv Detail & Related papers (2024-12-18T03:03:58Z)
Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z)
A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features [6.814841205623832]
This paper investigates the perspectives of OSS maintainers on vulnerability management and platform security features. We find that supply chain mistrust and lack of automation for vulnerability management are the most challenging. barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary.
arXiv Detail & Related papers (2024-09-12T00:15:03Z)
Artificial Bugs for Crowdsearch [0.0]
We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. We show that for this, it is sufficient to insert only one artificial bug.
arXiv Detail & Related papers (2024-03-14T15:27:14Z)
Studying the association between Gitcoin's issues and resolving outcomes [2.6613573097751866]
We study over 4,000 issues with Gitcoin bounties using statistical analysis and machine learning techniques. Our study highlights the importance of factors such as the length of the project, issue description, type of bounty issue, and the bounty value, which are found to be highly correlated with the outcome of bounty issues.
arXiv Detail & Related papers (2023-09-26T15:36:55Z)
What Happens When We Fuzz? Investigating OSS-Fuzz Bug History [0.9772968596463595]
We analyzed 44,102 reported issues made public by OSS-Fuzz prior to March 12, 2022. We identified the bug-contributing commits to estimate when the bug containing code was introduced, and measure the timeline from introduction to detection to fix.
arXiv Detail & Related papers (2023-05-19T05:15:36Z)
An Exploratory Study on the Evidence of Hackathons' Role in Solving OSS Newcomers' Challenges [54.56931759953522]
We aim to understand and discuss the challenges newcomers face when joining an OSS project. We collect evidence on how hackathons were used to address those challenges.
arXiv Detail & Related papers (2023-05-16T15:40:19Z)
Using Developer Discussions to Guide Fixing Bugs in Software [51.00904399653609]
We propose using bug report discussions, which are available before the task is performed and are also naturally occurring, avoiding the need for additional information from developers. We demonstrate that various forms of natural language context derived from such discussions can aid bug-fixing, even leading to improved performance over using commit messages corresponding to the oracle bug-fixing commits.
arXiv Detail & Related papers (2022-11-11T16:37:33Z)
Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection [69.59980270078067]
We explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification.
arXiv Detail & Related papers (2022-09-27T12:56:56Z)
DapStep: Deep Assignee Prediction for Stack Trace Error rePresentation [61.99379022383108]
We propose new deep learning models to solve the bug triage problem. The models are based on a bidirectional recurrent neural network with attention and on a convolutional neural network. To improve the quality of ranking, we propose using additional information from version control system annotations.
arXiv Detail & Related papers (2022-01-14T00:16:57Z)
Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We? [6.438136820117887]
In a typical maintenance scenario, security-relevant bug reports are prioritised by the development team when preparing corrective patches. Open security-relevant bug reports can become a critical leak of sensitive information that attackers can leverage to perform zero-day attacks. In recent years, approaches for the detection of security-relevant bug reports based on machine learning have been reported with promising performance.
arXiv Detail & Related papers (2021-12-19T11:30:29Z)
Cross-ethnicity Face Anti-spoofing Recognition Challenge: A Review [79.49390241265337]
Chalearn Face Anti-spoofing Attack Detection Challenge consists of single-modal (e.g., RGB) and multi-modal (e.g., RGB, Depth, Infrared (IR)) tracks. This paper presents an overview of the challenge, including its design, evaluation protocol and a summary of results.
arXiv Detail & Related papers (2020-04-23T06:43:08Z)

This list is automatically generated from the titles and abstracts of the papers in this site.