Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Using Real-world Bug Bounty Programs in Secure Coding Course: Experience Report (2404.12043v1)

Published 18 Apr 2024 in cs.CR

Abstract: To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (20)
  1. 2022. The Urgency of Tackling Europe’s Cybersecurity Skills Shortage. https://blogs.microsoft.com/eupolicy/2022/03/23/the-urgency-of-tackling-europes-cybersecurity-skills-shortage/
  2. Tim Greene. 2004. Training Ethical Hackers: Training the Enemy? https://defcon.org/html/links/dc_press/archives/12/ebcvg_training_ethical_hackers.htm
  3. Regina Hartley. 2015. Ethical Hacking Pedagogy: An Analysis and Overview of Teaching Students to Hack. Journal of International Technology and Information Management 24 (Jan. 2015), 95–104. https://doi.org/10.58729/1941-6679.1055
  4. Ethical Hacking: Educating Future Cybersecurity Professionals. Information Systems & Computing Academic Professionals: Proceedings of the EDSIG Conference (2017), 1–10.
  5. Understanding the Heterogeneity of Contributors in Bug Bounty Programs. In 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). Toronto, ON, Canada, 223–228. https://doi.org/10.1109/ESEM.2017.34
  6. Patricia Y. Logan and Allen Clarkson. 2005. Teaching students to hack: curriculum issues in information security. ACM SIGCSE Bulletin 37, 1 (Feb. 2005), 157–161. https://doi.org/10.1145/1047124.1047405
  7. Suresh S. Malladi and Hemang C. Subramanian. 2020. Bug Bounty Programs for Cybersecurity: Practices, Issues, and Recommendations. IEEE Software 37, 1 (Jan. 2020), 31–39. https://doi.org/10.1109/MS.2018.2880508 Conference Name: IEEE Software.
  8. Brian A. Pashel. 2006. Teaching students to hack: ethical implications in teaching students to hack at the university level. In Proceedings of the 3rd annual conference on Information security curriculum development. ACM, Kennesaw Georgia, 197–200. https://doi.org/10.1145/1231047.1231088
  9. The Ethics of Hacking: Should It Be Taught? Software Quality Professional 18, 1 (Dec. 2015). https://arxiv.org/abs/1512.02707
  10. Jacob Riggs. 2021. I hacked the Dutch government and all I got was this t-shirt. https://jacobriggs.io/blog/posts/i-hacked-the-dutch-government-and-all-i-got-was-this-t-shirt-24.html
  11. Jukka Ruohonen and Luca Allodi. 2018. A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities. 17th Annual Workshop on the Economics of Information Security, Innsbruck (May 2018). http://arxiv.org/abs/1805.09850 arXiv: 1805.09850.
  12. Zouheir Trabelsi. 2011. Hands-on lab exercises implementation of DoS and MiM attacks using ARP cache poisoning. In Proceedings of the 2011 Information Security Curriculum Development Conference. ACM, Kennesaw Georgia, 74–83. https://doi.org/10.1145/2047456.2047468
  13. Zouheir Trabelsi. 2012. Switch’s CAM table poisoning attack. In Computing Education 2012 - Proceedings of the 14th Australasian Computing Education Conference (Conferences in Research and Practice in Information Technology Series), Michael de Raadt and Angela Carbone (Eds.). Australian Computer Society, Melbourne, Australia, 113–120. http://www.scopus.com/inward/record.url?scp=85014905333&partnerID=8YFLogxK Publisher: Australian Computer Society.
  14. Zouheir Trabelsi. 2014. Enhancing the comprehension of network sniffing attack in information security education using a hands-on lab approach. In Proceedings of the 15th Annual Conference on Information technology education. ACM, Atlanta Georgia USA, 39–44. https://doi.org/10.1145/2656450.2656462
  15. Zouheir Trabelsi and Latifa Alketbi. 2013. Using network packet generators and snort rules for teaching denial of service attacks. In Proceedings of the 18th ACM conference on Innovation and technology in computer science education. ACM, Canterbury England, UK, 285–290. https://doi.org/10.1145/2462476.2465580
  16. Zouheir Trabelsi and Margaret McCoey. 2016. Ethical Hacking in Information Security Curricula. International Journal of Information and Communication Technology Education 12, 1 (Jan. 2016), 1–10. https://doi.org/10.4018/IJICTE.2016010101
  17. Thomas Walshe and Andrew Simpson. 2020. An Empirical Study of Bug Bounty Programs. In 2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF). London, ON, Canada, 35–44. https://doi.org/10.1109/IBF50092.2020.9034828
  18. Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure. Crime Science 7, 1 (Dec. 2018), 16. https://doi.org/10.1186/s40163-018-0090-8
  19. Kim Zetter. 2001. Information Security News: Three Minutes With Microsoft’s Scott Culp. https://seclists.org/isn/2001/Oct/37
  20. Uldis Ķinis. 2018. From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (RVDP): The Latvian approach. Computer Law & Security Review 34, 3 (June 2018), 508–522. https://doi.org/10.1016/j.clsr.2017.11.003
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Kamil Malinka (9 papers)
  2. Anton Firc (5 papers)
  3. Pavel Loutocký (1 paper)
  4. Jakub Vostoupal (1 paper)
  5. Andrej Krištofík (1 paper)
  6. František Kasl (1 paper)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube