Proposal of a Novel Bug Bounty Implementation Using Gamification

TL;DR

This paper introduces a gamified bug bounty process that leverages crowdsourcing for report verification, aiming to reduce resource demands and improve effectiveness, especially for resource-constrained organizations like universities.

Contribution

It proposes a novel bug bounty framework incorporating gamification and crowdsourced verification to address resource and effectiveness issues.

Findings

Reduces overheads through crowdsourced report verification

Uses gamification to substitute monetary rewards

Suitable for resource-constrained organizations

Abstract

Despite significant popularity, the bug bounty process has remained broadly unchanged since its inception, with limited implementation of gamification aspects. Existing literature recognises that current methods generate intensive resource demands, and can encounter issues impacting program effectiveness. This paper proposes a novel bug bounty process aiming to alleviate resource demands and mitigate inherent issues. Through the additional crowdsourcing of report verification where fellow hackers perform vulnerability verification and reproduction, the client organisation can reduce overheads at the cost of rewarding more participants. The incorporation of gamification elements provides a substitute for monetary rewards, as well as presenting possible mitigation of bug bounty program effectiveness issues. Collectively, traits of the proposed process appear appropriate for resource and budget-constrained organisations - such Higher Education institutions.