ACM ICTRS 2019


ACM ICTRS 2019

Ethical Hacking for Boosting IoT Vulnerability Management:
A First Look into Bug Bounty Programs and Responsible Disclosure

Abstract:

The security of the Internet of Things (IoT) has attracted much 
attention due to the growing number of IoT-oriented security 
incidents. IoT hardware and software security vulnerabilities 
are exploited affecting many companies and persons. Since the 
causes of vulnerabilities go beyond pure technical measures, 
there is a pressing demand nowadays to demystify IoT "security 
complex" and develop practical guidelines for both companies, 
consumers, and regulators. In this paper, we present an initial 
study targeting an unexplored sphere in IoT by illuminating 
the potential of crowdsource ethical hacking approaches for 
enhancing IoT vulnerability management. We focus on Bug Bounty 
Programs (BBP) and Responsible Disclosure (RD), which stimulate 
hackers to report vulnerability in exchange for monetary rewards. 
We carried out a qualitative investigation supported by 
literature survey and expert interviews to explore how BBP and 
RD can facilitate the practice of identifying, classifying, 
prioritizing, remediating, and mitigating IoT vulnerabilities 
in an effective and cost-efficient manner. Besides deriving 
tangible guidelines for IoT stakeholders, our study also sheds 
light on a systematic integration path to combine BBP and RD 
with existing security practices (e.g., penetration test) to 
further boost overall IoT security. 


Pre-camera PDF 

ACM Library Access

BibTeX:

@inproceedings{Ding:ICTRS2019,
 author = {Ding, Aaron Yi and Limon De Jesus, Gianluca and Janssen, Marijn},
 title = {Ethical Hacking for Boosting IoT Vulnerability Management: A First Look into Bug Bounty Programs and Responsible Disclosure},
 booktitle = {Proceedings of the 8th International Conference on Telecommunications and Remote Sensing},
 series = {ICTRS '19},
 year = {2019},
 isbn = {978-1-4503-6580-2},
 location = {Rhodes, Greece},
 pages = {27--34},
 numpages = {8},
 url = {http://doi.acm.org/10.1145/3278161.3278166},
 doi = {10.1145/3278161.3278166},
 acmid = {3278166},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {IoT Security; Vulnerability Management; Bug Bounty Programs; Responsible Disclosure; Ethical Hacking},
}

How to cite:

A. Y. Ding, G. Limon De Jesus, M. Janssen. 2019. Ethical Hacking for Boosting IoT Vulnerability Management: A First Look into Bug Bounty Programs and Responsible Disclosure. In Proceedings of the 8th International Conference on Telecommunications and Remote Sensing (ICTRS '19).