Show simple item record

dc.contributor.advisorCo-chairs, Graduate Committee: Clemente Izurieta and Mike Wittieen
dc.contributor.authorMcCartney, Susan Annen
dc.description.abstractCorporate computer security is becoming increasingly important because the frequency and severity of cyberattacks on businesses is high and increasing. One way to improve the security of company software is for a company to hire a third party to identify and report vulnerabilities, blocks of code that can be exploited. A bug-bounty program incentivizes ethical hackers (herein, 'researchers') to find and fix vulnerabilities before they can be exploited. For this reason, bug-bounty programs have been increasing in popularity since their inception a decade ago. However, the increase in their use and popularity also increases the likelihood of the companies being targeted by malicious actors by using a bug-bounty programs as the medium. The literature review and investigation into the rules and requirements for bug-bounty platform revealed that though the bug-bounty programs can improve a vendor's security, the programs still contain a serious security flaw. The platforms are not required to scan reports for malware and there is no guidance requesting the vendors scan for malware. This means it is possible to perform a cyberattack using malware as a report attachment. Through data collection from 22 platforms, an observational case study, and analysis of different malware, I have created a tool to assist vendors in selecting the platform of best fit and characterize the possible attack surfaces presented from the file options allowed on the platform. The outcome from this research is evidence of the importance of understanding the malware files used as report attachments. However, more research is needed in the relationship between file extensions and malware in order to thoroughly comprehend the attack surface capabilities, and to understand the trade-offs between security and convenience.en
dc.publisherMontana State University - Bozeman, College of Engineeringen
dc.subject.lcshComputer securityen
dc.subject.lcshMalware (Computer software)en
dc.titleA framework to assess bug-bounty platforms based on potential attack vectorsen
dc.rights.holderCopyright 2022 by Susan Ann McCartneyen, Graduate Committee: John Paxton; Laura Stanley; Ann Marie Reinhold; Maryann Cummingsen

Files in this item


This item appears in the following Collection(s)

Show simple item record

MSU uses DSpace software, copyright © 2002-2017  Duraspace. For library collections that are not accessible, we are committed to providing reasonable accommodations and timely access to users with disabilities. For assistance, please submit an accessibility request for library material.