Security assessment incentive method for promoting discovery of computer software vulnerabilities

US 9,413,780 B1
Filed: 05/06/2014
Issued: 08/09/2016
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. A data processing method comprising:

inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers;

determining a respective expertise of the researchers of the distributed plurality of researchers;

publishing, by a computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values;

monitoring by the computer that is communicatively coupled to the first computing device associated with a particular researcher of the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;

in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher, and based upon the taxonomy, determining and providing, by the computer, a particular award value to the particular researcher.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, the disclosure provides: A method comprising: inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher; determining and providing an award to the particular researcher in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher.

55 Citations

View as Search Results

22 Claims

1. A data processing method comprising:
- inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers;
  
  determining a respective expertise of the researchers of the distributed plurality of researchers;
  
  publishing, by a computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values;
  
  monitoring by the computer that is communicatively coupled to the first computing device associated with a particular researcher of the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;
  
  in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher, and based upon the taxonomy, determining and providing, by the computer, a particular award value to the particular researcher.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 comprising:
    - determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;
      
      based upon the vulnerability score, determining and providing the award.
  - 3. The method of claim 1 comprising:
    - determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;
      
      mapping the vulnerability score to a particular award that is within a range of a minimum award value and a maximum award value that are associated in the taxonomy with an identifier of the candidate security vulnerability;
      
      based upon the mapping, determining and providing the particular award.
  - 4. The method of claim 3 wherein the particular award is a fee.
  - 5. The method of claim 3 wherein the particular award is an amount of a virtual currency.
  - 6. The method of claim 3 wherein the particular award is an amount of points.
  - 7. The method of claim 6 comprising transferring the amount of points to a loyalty points award program account that is associated with the particular researcher.
  - 8. The method of claim 6 comprising:
    - determining and providing a plurality of awards of different amounts of points to the particular researcher in response to receiving a plurality of different reports of different candidate security vulnerabilities from the same particular researcher at different times within a period;
      
      determining and providing an additional award to the same particular researcher when a sum of the different amounts of points awarded within the period is greater than a specified threshold.
  - 9. The method of claim 1 comprising:
    - assigning two different particular computer vulnerability research projects, relating to two different particular networks under test, to two different geographically distant particular researchers from among the subset of the researchers;
      
      using a computer that is logically interposed between the two different particular researchers and the particular network under test, monitoring communications between the two different particular researchers and the two different particular networks under test, wherein the communications relate to attempting to identify two different candidate security vulnerabilities of the two different particular networks under test;
      
      validating two different reports of the two different candidate security vulnerability of the two different particular networks under test that are received respectively from the two different particular researchers;
      
      determining and providing two different awards to the two different particular researchers in response to successfully validating the reports.
  - 10. The method of claim 1 comprising validating the particular security vulnerability by re-performing, on a target computer of the particular network under test, one or more operations that are identified in the report;
    - providing a validated report of the security vulnerability to an administrator computer that is associated with the particular network under test.
  - 11. The method of claim 1 comprising:
    - assigning one particular computer vulnerability research project, relating to a particular network under test, to two different particular researchers from among the subset of the researchers;
      
      using a computer that is logically interposed between the two different particular researchers and the particular network under test, monitoring communications between the two different particular researchers and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;
      
      receiving two different reports of the same candidate security vulnerability of the particular network under test from the two different particular researchers respectively;
      
      validating a first report of the candidate security vulnerability of the particular network under test that is received from a first particular researcher;
      
      determining that a second report, received from a second particular researcher, of the candidate security vulnerability is a duplicate report;
      
      determining and providing the award only to the first particular researcher in response to successfully validating the first report.

12. A data processing system comprising:
- a first computer that is communicatively coupled to a plurality of networks under test, an automated scanning system and a vulnerability database, and that is logically interposed in a network topology between the plurality of networks under test and a distributed plurality of researcher computers;
  
  one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing;
  
  inviting, using the first computer, a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party, wherein a first computing device and a second computing device are associated with different researchers respectively among the plurality of researchers;
  
  determining a respective expertise of the researchers of the distributed plurality of researchers;
  
  publishing, using the first computer, to researchers having the respective expertise of the distributed plurality of researchers, a taxonomy of potential computer vulnerabilities, wherein each particular computer vulnerability in the taxonomy is associated with a range of award values;
  
  monitoring, by a second computer that is communicatively coupled to a particular computing device of a particular researcher among the distributed plurality of researchers and a network under test among the one or more networks and/or computers, communications between the particular computing device of the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;
  
  in response to a report of the candidate security vulnerability of the particular network under test that is received from the particular computing device of the particular researcher, and based upon the taxonomy, determining and providing a particular award value to the particular researcher.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
    - determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;
      
      based upon the vulnerability score, determining and providing the award.
  - 14. The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
    - determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;
      
      mapping the vulnerability score to a particular award that is within a range of a minimum award value and a maximum award value that are associated in the taxonomy with an identifier of the candidate security vulnerability;
      
      based upon the mapping, determining and providing the particular award.
  - 15. The computer system of claim 14 wherein the particular award is a fee.
  - 16. The computer system of claim 14 wherein the particular award is an amount of a virtual currency.
  - 17. The computer system of claim 14 wherein the particular award is an amount of points.
  - 18. The computer system of claim 17, the storage media comprising sequences of instructions which when executed cause transferring the amount of points to a loyalty points award program account that is associated with the particular researcher.
  - 19. The computer system of claim 17, the storage media comprising sequences of instructions which when executed cause:
    - determining and providing a plurality of awards of different amounts of points to the particular researcher in response to receiving a plurality of different reports of different candidate security vulnerabilities from the same particular researcher at different times within a period;
      
      determining and providing an additional award to the same particular researcher when a sum of the different amounts of points awarded within the period is greater than a specified threshold.
  - 20. The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
    - assigning two different particular computer vulnerability research projects, relating to two different particular networks under test, to two different geographically distant particular researchers from among the subset of the researchers;
      
      using a computer that is logically interposed between the two different particular researchers and the particular network under test, monitoring communications between the two different particular researchers and the two different particular networks under test, wherein the communications relate to attempting to identify two different candidate security vulnerabilities of the two different particular networks under test;
      
      validating two different reports of the two different candidate security vulnerability of the two different particular networks under test that are received respectively from the two different particular researchers;
      
      determining and providing two different awards to the two different particular researchers in response to successfully validating the reports.
  - 21. The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
    - validating the particular security vulnerability by re-performing, on a target computer of the particular network under test, one or more operations that are identified in the report;
      
      providing a validated report of the security vulnerability to an administrator computer that is associated with the particular network under test.
  - 22. The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
    - assigning one particular computer vulnerability research project, relating to a particular network under test, to two different particular researchers from among the subset of the researchers;
      
      using a computer that is logically interposed between the two different particular researchers and the particular network under test, monitoring communications between the two different particular researchers and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;
      
      receiving two different reports of the same candidate security vulnerability of the particular network under test from the two different particular researchers respectively;
      
      validating a first report of the candidate security vulnerability of the particular network under test that is received from a first particular researcher;
      
      determining that a second report, received from a second particular researcher, of the candidate security vulnerability is a duplicate report;
      
      determining and providing the award only to the first particular researcher in response to successfully validating the first report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synack, Inc.
Original Assignee
Synack, Inc.
Inventors
Kaplan, Jay, Kuhr, Mark
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/271,119
Time in Patent Office

826 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/0748   in a remote unit communicat...

G06F 11/2733   Test interface between test...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06Q 30/0208   Trade or exchange of goods ...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Security assessment incentive method for promoting discovery of computer software vulnerabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Security assessment incentive method for promoting discovery of computer software vulnerabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links