06/25/2021
By Mary Lou Kelly
Ali Ahmed will defend his Ph.D. Dissertation in the Department of Operations and Information Systems, Manning School of Business, entitled "On Understanding Crowdsourced Vulnerability Discovery and Disclosure" on Friday, July 9, 2021 from 2 to 4 p.m. This will be a virtual dissertation defense via Zoom. Those interested in attending should contact ali_ahmed@student.uml.edu to request access to the Zoom link.
Committee Members:
- Prof. Amit Deokar (Co-Chair)
- Prof. Brian Lee (Co-Chair)
- Prof. Xiaobai Li
- Prof. Chi Zhang
Abstract:
Crowdsourced vulnerability discovery or bug bounty programs have become an increasingly popular method for finding security vulnerabilities in organizations’ online systems. In this method, ethical hackers find and report security vulnerabilities to the organization. Ethical hackers receive monetary rewards or reputational gain for their valid discoveries. This dissertation contributes to various issues related to crowdsourced vulnerability disclosure and bug bounty programs. The first essay provides a theoretical understanding of various mechanisms of vulnerability disclosure. We synthesize the existing literature and compare the antecedents and consequences of the vulnerability disclosure under market- and non-market-based disclosure mechanisms by proposing two research frameworks. We also identify several open research questions addressing issues and challenges in the market-based disclosures. In the second essay, we examine how the firms’ vulnerability resolution experience affects their efficiency of resolving vulnerabilities on a bug bounty platform. Using a dataset collected from a leading bug bounty platform, we find that, interestingly, the firm may perform worse (i.e., longer resolution time) as they gain more experience initially. However, after resolving a sufficient number of vulnerabilities, the firm’s experience turns into a positive learning effect. Moreover, the positive learning effect kicks in earlier if the firm continuously works with the same hacker on the platform. In the third essay, we investigate how the disclosure of patched vulnerabilities affects the participation of ethical hackers in a bug bounty program. From empirical analysis, we find that the disclosure of valid vulnerability reports attracts hackers from other programs to the disclosing programs. We also find that the disclosure of valid reports also attracts more experienced hackers to the program. In addition to theoretical contributions to the areas of crowdsourcing and vulnerability discovery, the studies in this dissertation also have practical implications for organizations, ethical hackers, and platform managers.