Security assessment incentive method for promoting discovery of computer software vulnerabilities
First Claim
1. A data processing method comprising:
- inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers;
determining a respective expertise of the researchers of the distributed plurality of researchers;
publishing, by a computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values;
monitoring by the computer that is communicatively coupled to the first computing device associated with a particular researcher of the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;
in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher, and based upon the taxonomy, determining and providing, by the computer, a particular award value to the particular researcher.
1 Assignment
0 Petitions
Accused Products
Abstract
In one aspect, the disclosure provides: A method comprising: inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher; determining and providing an award to the particular researcher in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher.
55 Citations
22 Claims
-
1. A data processing method comprising:
-
inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers; determining a respective expertise of the researchers of the distributed plurality of researchers; publishing, by a computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values; monitoring by the computer that is communicatively coupled to the first computing device associated with a particular researcher of the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher, and based upon the taxonomy, determining and providing, by the computer, a particular award value to the particular researcher. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A data processing system comprising:
-
a first computer that is communicatively coupled to a plurality of networks under test, an automated scanning system and a vulnerability database, and that is logically interposed in a network topology between the plurality of networks under test and a distributed plurality of researcher computers; one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing; inviting, using the first computer, a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers; determining a respective expertise of the researchers of the distributed plurality of researchers; publishing, using the first computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values; monitoring, by a second computer that is communicatively coupled to a particular computing device of a particular researcher among the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular computing device of the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular computing device of the particular researcher, and based upon the taxonomy, determining and providing a particular award value to the particular researcher. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification