Security Professional Skills Representation in Bug Bounty Programs and Processes

摘要

The ever-increasing amount of security vulnerabilities discovered and reported in recent years are significantly raising the concerns of organizations and businesses regarding the potential risks of data breaches and attacks that may affect their assets (e.g. the cases of Yahoo and Equifax). Consequently, organizations, particularly those suffering from these attacks are relying on the job of security professionals. Unfortunately, due to a wide range of cyber-attacks, the identification of such skilled security professional is a challenging task. One such reason is the "skill gap" problem, a mismatch between the security professionals' skills and the skills required for the job (vulnerability discovery in our case). In this work, we focus on platforms and processes for crowdsourced security vulnerability discovery (bug bounty programs) and present a framework for the representation of security professional skills. More specifically, we propose an embedding-based clustering approach that exploits multiple and rich information available across the web (e.g. job postings, vulnerability discovery reports) to translate the security professional skills into a set of relevant skills using clustering information in a semantic vector space. The effectiveness of this approach is demonstrated through experiments, and the results show that our approach works better than baseline solutions in selecting the appropriate security professionals.