Enhancing Vulnerability Management for IoT Devices with Bug Bounty Programs and Responsible Disclosure

Master thesis (2019)

Authors

G. Limon De Jesus Technology, Policy and Management

Contributors

Aaron Yi Ding (mentor)
M.R. Alfano (graduation committee member)
Faculty
Technology, Policy and Management, Technology, Policy and Management
Copyright: © 2019 Gianluca Limon De Jesus
More Info
expand_more

Published Date

26-08-2019

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

The Internet of Things (IoT) will soon impact the lives of thousands of people as numerous IoT devices are emerging in the consumer market. Consumers goods consist of products designed for the consumption of final consumers. Even though IoT applications are expected to improve people's lives, security is often lacking in current IoT devices. Vulnerabilities in these type of products pose serious risks to the security and privacy of consumers. Compared to traditional electronics, IoT devices are endowed with internet connectivity that can be exploited by hackers in remote attacks. Several attacks on IoT products that can threaten the security of a large of number actors have already been observed. To minimize the risk of attacks, developers and vendors need to identify vulnerabilities in time before any malevolent individual can exploit them.
In recent years, as part of vulnerability management practices, many organizations have started to implement crowdsourced security methods such as Bug Bounty Programs (BBPs) and Responsible Disclosure Policies (RDPs). BBPs and RDPs are programs that involve the participation of ethical hackers in the security processes of organizations, reporting vulnerabilities to companies in exchange for monetary rewards or recognition. These methods present the benefit that thousands of hackers can work together with companies to identify and patch vulnerabilities. Empirical research suggests that BBPs and RDPs effectively augment existing vulnerability management practices by companies. However, the application of these programs in the field of IoT has never been studied. There are many questions open regarding the potential and future adoption of Bug Bounty Programs and Responsible Disclosure Policies. The research aim is to study and expand the literature on security practices for IoT, focusing on the application of BBPs and RDPs, and to conduct an interview-based investigation with experts in order to provide practical recommendations for companies to enhance vulnerability management practices for IoT consumer goods. For this research, the literature on IoT security and security practices is confronted with empirical data from expert interviews. The empirical data was gathered during an internship at Deloitte in the Netherlands. In total, 19 interviews with cybersecurity experts from different companies in the field were collected for this thesis. The results are employed to generate recommendations for companies to improve their vulnerability management practices with the use of BBPs and RDPs. The recommendations are directed to companies developing, manufacturing, and commercializing consumer IoT devices that want to enhance the security of their products. The main contributions of this research consist of practical and tangible security recommendations for companies to tackle IoT vulnerabilities in consumer goods, which will help enhance the overall IoT security practices. Moreover, our findings raise attention on the societal risks derived from the unsafe deployment of vulnerable IoT products into the consumer market. We create awareness on the IoT security challenge, and present a call for further actions from companies, consumers, and regulators in the IoT domain.