Las Vegas, NV ― Black Hat ― A security academic raised an important concern on Thursday, highlighting that an organization’s choice to publicly disclose resolved vulnerabilities might inadvertently hinder ethical hackers’ capacity to uncover previously unknown security weaknesses.
At the Black Hat conference, Ali Ahmed, an assistant professor in the Department of Information Systems at the College of Business, University of Wisconsin-Eau Claire, unveiled his ongoing research. This study delves into the intricate connection between bug bounty programs and the behaviors exhibited by white hat hackers participating in these initiatives.
Brian Lee, an assistant professor in the Department of Supply Chain and Information Systems at the Pennsylvania State University, and Amit Deokar, an associate Dean of Undergraduate Programs at the Manning School of Business, University of Massachusetts Lowell, participated in the research.
Together with two colleagues, the professor embarked on an ambitious endeavor, collecting and meticulously analyzing 8,712 vulnerability reports that had been publicly disclosed by 368 different companies on HackerOne, an internationally renowned bug bounty platform. Bug bounties have emerged as a strategy for organizations to fortify their software security, offering financial incentives to individuals who unearth security vulnerabilities. This proactive approach helps organizations safeguard their systems from potential attackers.
According to their findings, the disclosed reports have a negative effect on hackers’ creativity, which is a crucial element in detecting security flaws. “If a firm discloses a lot, they are less likely to resolve a new bug in the next month or in the future,” said Ahmed. “It also showed that less hackers were able to be successful in finding new bugs.”
The expert introduced a psychological concept known as “fixation” to elucidate the rationale behind his findings, using the analogy of a hammer to drive home his point. Imagine someone who requires a paperweight encountering a hammer for the first time. Without knowledge of its intended function, they might repurpose the hammer as a paperweight. However, if they were aware of the hammer’s intended function, they would exclusively use it for its primary purpose, pounding nails.
“Similar phenomena happen in bug bounty programs,” said the professor. “Hackers’ minds are fixated on the prior examples. They go for the same techniques and methods in finding new bugs. So, disclosure can lead to fewer discoveries.”
During problem-solving, individuals often experience fixation, a cognitive bias that drives them to seek the simplest solution based on their past experiences. In essence, this means that hackers who possess extensive experience might actually be more susceptible to the effects of vulnerability reports, compared to those who are newcomers in the industry.
The expert also provided insights into ways organizations could effectively influence the behavior of hackers in a positive manner. “Psychology says that expansive examples lead to more creative output. If firms disclose critical vulnerabilities, that will lead to more discoveries in the future and more success for hackers,” said Ahmed. “If they want hackers to be successful in their program, they should be more critical about how and what they disclose.”
He also stressed that ethical hackers should be aware of fixation when they are looking into vulnerability reports. “They should get out of it. One strategy I found through this data is program switching. If hackers switch between programs a lot, it can’t create fixation,” the professor said.