A Deep Dive Into How Open-Source Project Maintainers Review and Resolve Bug Bounty Reports

TL;DR

This paper explores how open-source project maintainers review and resolve bug bounty reports, highlighting key benefits, challenges, and features, and providing recommendations to improve the bug bounty review process.

Contribution

It provides an empirical analysis of OSS maintainers' perspectives on bug bounty report review, a previously understudied area, through surveys and interviews.

Findings

Private disclosure and project visibility are top benefits.

Hunters' focus on money and CVEs presents challenges.

Lack of communication is least challenging for maintainers.

Abstract

Researchers have investigated the bug bounty ecosystem from the lens of platforms, programs, and bug hunters. Understanding the perspectives of bug bounty report reviewers, especially those who historically lack a security background and little to no funding for bug hunters, is currently understudied. In this paper, we primarily investigate the perspective of open-source software (OSS) maintainers who have used \texttt{huntr}, a bug bounty platform that pays bounties to bug hunters who find security bugs in GitHub projects and have had valid vulnerabilities patched as a result. We address this area by conducting three studies: identifying characteristics through a listing survey ($n_1=51$), their ranked importance with Likert-scale survey data ($n_2=90$), and conducting semi-structured interviews to dive deeper into real-world experiences ($n_3=17$). As a result, we categorize 40 identified characteristics into benefits, challenges, helpful features, and wanted features. We find that private disclosure and project visibility are the most important benefits, while hunters focused on money or CVEs and pressure to review are the most challenging to overcome. Surprisingly, lack of communication with bug hunters is the least challenging, and CVE creation support is the second-least helpful feature for OSS maintainers when reviewing bug bounty reports. We present recommendations to make the bug bounty review process more accommodating to open-source maintainers and identify areas for future work.