Why Some Bug-bounty Vulnerability Reports are Invalid? (ESEM 2021 - Emerging Results and Vision papers)

Who

Saman Shafigh, Boualem Benatallah, Carlos Rodriguez, Mortada Al-Banna

Track

ESEM 2021 Emerging Results and Vision papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 12 Oct 2021 15:05 - 15:15 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci

Abstract

Background: Despite the increasing popularity of bug-bounty platforms in industry, little empirical evidence exists to identify the nature of invalid vulnerability reports. Mitigation of invalid reports is a serious concern of organisations running or using bug-bounty platforms as well as security researchers.

Aims: In this work we aim to identify: (i) why some reports are considered as invalid? (ii) what are the characteristics of reports considered as invalid due to being out-of-scope?

Method: We conducted an empirical study on disclosed invalid reports in HackerOne to examine the reasons these reports are marked as invalid and we found that out-of-scope is the leading reason. Since all out-of-scope reports were rejected according to the programs policy page we studied all programs policy pages in two major bug-bounty platforms to understand the characteristics of an out-of-scope report. We developed a generalised out-of-scope taxonomy model and we used our model to further analyse HackerOne out-of-scope reports to find the leading attributes of this model that contributes to the fate of these reports.

Results: We identified out-of-scope followed by false-positive as two main reasons for a report to be deemed invalid. We found that the attribute of vulnerability type in our taxonomy model is the leading characteristic of out-of-scope reports. We also identified the top 9 out-of-interest vulnerability types according to policy pages.

Conclusions: Our study can help bug-bounty platforms and researchers to better understand the nature of invalid reports. Our finding about the importance of vulnerability type in validating reports can be used to justify future works to develop automated classification techniques based on vulnerability types to better triage invalid reports. Our top 9 out-of-interest vulnerability types can be used as a blacklist to automatically classify possibly an out-of-scope report. Finally our generalised out-of-scope taxonomy model can guide organisations as a base model to create their policy page and tailor it as they need.

Saman Shafigh

University of New South Wales

Australia

Boualem Benatallah

University of New South Wales

Australia

Carlos Rodriguez

University of New South Wales

Australia

Mortada Al-Banna

University of New South Wales

Australia

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Tue 12 Oct
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:20 - 15:15	Testing & Security 1Technical Papers / Emerging Results and Vision papers at ESEM ROOM Chair(s): Davide Fucci Blekinge Institute of Technology

14:20 15m Talk		A comparative study of vulnerability reporting by software composition analysis tools Technical Papers Nasif Imtiaz North Carolina State University, Seaver Thorn North Carolina State University, Laurie Williams North Carolina State University Pre-print Media Attached
14:35 15m Talk		An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing Technical Papers Roland Croft , Dominic Newlands University of Adelaide, Ziyu Chen Monash University, Muhammad Ali Babar University of Adelaide Pre-print Media Attached
14:50 15m Talk		An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps Technical Papers Roshan Namal Rajapakse The University of Adelaide, Mansooreh Zahedi The Univeristy of Melbourne, Muhammad Ali Babar University of Adelaide Pre-print
15:05 10m Talk		Why Some Bug-bounty Vulnerability Reports are Invalid? Emerging Results and Vision papers Saman Shafigh University of New South Wales, Boualem Benatallah University of New South Wales, Carlos Rodriguez University of New South Wales, Mortada Al-Banna University of New South Wales

Information for Participants

Tue 12 Oct 2021 14:20 - 15:15 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci

Info for room ESEM ROOM:

https://www.youtube.com/c/ESEM_Conference