SECURITY ASSESSMENT INCENTIVE METHOD FOR PROMOTING DISCOVERY OF COMPUTER SOFTWARE VULNERABILITIES

US 20160342796A1
Filed: 08/08/2016
Published: 11/24/2016
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. A data processing method comprising:

using a Launch Point computer, assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in forming the distributed plurality of researchers in which each researcher is associated in digitally stored data records with one or more tags that identify the researcher for one or more attributes;

using the Launch Point computer, electronically inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more third party computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more third party computers;

using the Launch Point computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a particular third party computer under test among the one or more third party computers, monitoring communications between the particular researcher and the particular third party computer under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer under test;

in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, the disclosure provides: A method comprising: assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in the distributed plurality of researchers wherein each researcher is associated with one or more tags in records that identify the researcher for one or more attributes; inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more computers; using a computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a network under test among the one or more computers, monitoring communications between the particular researcher and the particular third party computer, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer; in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability.

Citations

20 Claims

1. A data processing method comprising:
- using a Launch Point computer, assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in forming the distributed plurality of researchers in which each researcher is associated in digitally stored data records with one or more tags that identify the researcher for one or more attributes;
  
  using the Launch Point computer, electronically inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more third party computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more third party computers;
  
  using the Launch Point computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a particular third party computer under test among the one or more third party computers, monitoring communications between the particular researcher and the particular third party computer under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer under test;
  
  in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising, using the Launch Point computer, comparing the one or more tags in records that identify the researcher for one or more attributes to a description of the one or more third party computers.
  - 3. The method of claim 1 wherein assessing a plurality of researchers comprises determining that a particular researcher of the plurality of researchers is a white hat hacker.
  - 4. The method of claim 1, wherein assessing the plurality of researchers comprises causing the researcher to classify issues relating to web application security, mobile application security, or infrastructure.
  - 5. The method of claim 1, wherein assessing the plurality of researchers comprises assigning a level of trust to a particular researcher.
  - 6. The method of claim 1, wherein the one or more attributes comprise citizenship, levels of permissible government access, residence, or domicile.
  - 7. The method of claim 1, wherein monitoring communications between the particular researcher and the particular third party computer comprises logging tests and messages between the particular researcher and the one or more third party computers.
  - 8. The method of claim 1, wherein the computer vulnerabilities comprise an SQL injection attack.
  - 9. The method of claim 1, wherein the report of the candidate security vulnerability of the particular third party computer comprises an indication that an authenticated login is required.
  - 10. The method of claim 1, wherein the report of the candidate security vulnerability of the particular third party computer comprises an indication of an impact to confidentiality, that integrity of application or user data was compromised, or that the candidate security vulnerability impacts application availability.

11. A data processing system comprising:
- a first computer that is communicatively coupled to a plurality of computers under test, an automated scanning system and a vulnerability database, and that is logically interposed in a network topology between the plurality of computers under test and a distributed plurality of researcher computers;
  
  one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing;
  
  assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in the distributed plurality of researchers wherein each researcher is associated in stored digital data records with one or more tags that identify the researcher for one or more attributes;
  
  electronically inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more third party computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more third party computers;
  
  using the first computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a particular third party computer under test among the one or more third party computers, monitoring communications between the particular researcher and the particular third party computer, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer;
  
  in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The data processing system of claim 11, wherein the one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing:
    - comparing the one or more tags in records that identify the researcher for one or more attributes to a description of the one or more third party computers.
  - 13. The data processing system of claim 11, wherein the one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing assessing a plurality of researchers comprises by determining that a particular researcher of the plurality of researchers is a white hat hacker.
  - 14. The data processing system of claim 11, wherein one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing assessing the plurality of researchers by causing the researcher to classify issues relating to web application security, mobile application security, or infrastructure.
  - 15. The data processing system of claim 11, wherein one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing assigning a level of trust to a particular researcher.
  - 16. The data processing system of claim 11, wherein the one or more attributes comprise citizenship, levels of permissible government access, residence, or domicile.
  - 17. The data processing system of claim 11, wherein monitoring communications between the particular researcher and the particular third party computer comprises logging tests and messages between the particular researcher and the one or more third party computers.
  - 18. The data processing system of claim 11, wherein the computer vulnerabilities comprise an SQL injection attack.
  - 19. The data processing system of claim 11, wherein the report of the candidate security vulnerability of the particular third party computer comprises an indication that an authenticated login is required.
  - 20. The data processing system of claim 11, wherein the report of the candidate security vulnerability of the particular third party computer comprises an indication of an impact to confidentiality, that integrity of application or user data was compromised, or that the candidate security vulnerability impacts application availability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synack, Inc.
Original Assignee
Synack, Inc.
Inventors
KAPLAN, Jay, KUHR, Mark

Granted Patent

US 9,697,362 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/0748   in a remote unit communicat...

G06F 11/2733   Test interface between test...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06Q 30/0208   Trade or exchange of goods ...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

SECURITY ASSESSMENT INCENTIVE METHOD FOR PROMOTING DISCOVERY OF COMPUTER SOFTWARE VULNERABILITIES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY ASSESSMENT INCENTIVE METHOD FOR PROMOTING DISCOVERY OF COMPUTER SOFTWARE VULNERABILITIES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links