We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Does Public Disclosure of Vulnerabilities Affect Hacker Participation in Bug Bounty Programs?
Explore public vulnerability disclosure, hacker participation, and bug discovery in bug bounty programs.
- Disclosure of patched vulnerabilities can have a negative impact on the discovery of new bugs in a program.
- Hacker participation is affected by disclosure levels, with less hackers being successful when a firm discloses a lot or increases disclosure levels.
- Counterintuitively, hackers may put more effort into finding bugs for firms that offer smaller bounties, but this may not lead to more discoveries.
- Disclosure can lead to fixation, where hackers’ minds are biased towards prior examples, making it harder to find new bugs.
- Fixation is a cognitive bias where creative people are prone to repeating similar ideas or solutions.
- Functional fixedness is another term for fixation, where people are limited to using objects in traditional ways.
- Research in psychology shows that prior examples can affect creative people’s cognitive capabilities, leading to fixation. *Disclosure can have a negative effect on hackers’ search behavior, making it harder to find new bugs.
- Switching between programs can decrease fixation.
- It’s possible that hackers may not like working for companies that disclose a lot, due to fixation and the bias towards prior examples. *orsch says there’s a need to test the effect of disclosure on hackers’ success, as well as the impact of a bigger company’s offer of a huge bounty.
- A science experiment is needed to test the effect of disclosure on hackers’ success.
- Validation of disclosures on platforms like HackerOne and BugCrowd can affect hackers’ success.
- There are two possibilities: a positive effect of disclosure on hackers’ success, or a negative effect.
- Public data is crucial for understanding bug bounty phenomena, but private bug bounty data is hard to access.