Ethical hacking for boosting IoT vulnerability management: A first look into bug bounty programs and responsible disclosure

Aaron Yi Ding, Gianluca Limon De Jesus, Marijn Janssen

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

2 Citations (Scopus)

Abstract

The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.

Original languageEnglish
Title of host publicationICTRS 2019 - Proceedings of the 8th International Conference on Telecommunications and Remote Sensing
EditorsAndon Lazarov, Boris Shishkov, Dimitris Mitrakos, Marijn Janssen
PublisherAssociation for Computing Machinery (ACM)
Pages49-55
Number of pages7
ISBN (Electronic)9781450376693
DOIs
Publication statusPublished - 16 Sep 2019
Event8th International Conference on Telecommunications and Remote Sensing, ICTRS 2019 - Rhodes, Greece
Duration: 16 Sep 201917 Sep 2019

Conference

Conference8th International Conference on Telecommunications and Remote Sensing, ICTRS 2019
CountryGreece
CityRhodes
Period16/09/1917/09/19

Keywords

  • Bug Bounty Programs
  • Ethical Hacking
  • IoT Security
  • Responsible Disclosure
  • Vulnerability Management

Fingerprint Dive into the research topics of 'Ethical hacking for boosting IoT vulnerability management: A first look into bug bounty programs and responsible disclosure'. Together they form a unique fingerprint.

  • Cite this

    Ding, A. Y., De Jesus, G. L., & Janssen, M. (2019). Ethical hacking for boosting IoT vulnerability management: A first look into bug bounty programs and responsible disclosure. In A. Lazarov, B. Shishkov, D. Mitrakos, & M. Janssen (Eds.), ICTRS 2019 - Proceedings of the 8th International Conference on Telecommunications and Remote Sensing (pp. 49-55). Association for Computing Machinery (ACM). https://doi.org/10.1145/3357767.3357774