Abstract
The ever-increasing amount of security vulnerabilities discovered and reported in recent years are significantly raising the concerns of organizations and businesses regarding the potential risks of data breaches and attacks that may affect their assets (e.g. the cases of Yahoo and Equifax). Consequently, organizations, particularly those suffering from these attacks are relying on the job of security professionals. Unfortunately, due to a wide range of cyber-attacks, the identification of such skilled security professional is a challenging task. One such reason is the “skill gap” problem, a mismatch between the security professionals’ skills and the skills required for the job (vulnerability discovery in our case). In this work, we focus on platforms and processes for crowdsourced security vulnerability discovery (bug bounty programs) and present a framework for the representation of security professional skills. More specifically, we propose an embedding-based clustering approach that exploits multiple and rich information available across the web (e.g. job postings, vulnerability discovery reports) to translate the security professional skills into a set of relevant skills using clustering information in a semantic vector space. The effectiveness of this approach is demonstrated through experiments, and the results show that our approach works better than baseline solutions in selecting the appropriate security professionals.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
References
Al-Banna, M., Benatallah, B., Barukh, M.C.: Software security professionals: expertise indicators. In: 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), pp. 139–148 (2016)
Al-Banna, M., Benatallah, B., Schlagwein, D., Bertino, E., Barukh, M.C.: Friendly hackers to the rescue: how organizations perceive crowdsourced vulnerability discovery. In: PACIS, p. 230 (2018)
Bastian, M., et al.: Linkedin skills: large-scale topic extraction and inference. In: Proceedings of the 8th ACM Conference on Recommender Systems, pp. 1–8 (2014)
Blei, D.M., Ng, A.Y., Jordan, M.I.: Latent Dirichlet allocation. J. Mach. Learn. Res. 3, 993–1022 (2003)
Christopher, D.M., Prabhakar, R., Hinrich, S.: Introduction to information retrieval. Int. Inf. Retrieval 151(177), 5 (2008)
Council, N.R., et al.: A database for a changing economy: review of the Occupational Information Network (O* NET). National Academies Press (2010)
Dave, V.S., Zhang, B., Al Hasan, M., AlJadda, K., Korayem, M.: A combined representation learning approach for better job and skill recommendation. In: Proceedings of the 27th ACM International Conference on Information and Knowledge Management, pp. 1997–2005. ACM (2018)
Dehghan, M., Abin, A.A.: Translations diversification for expert finding: a novel clustering-based approach. ACM Trans. Knowl. Discov. Data (TKDD) 13(3), 1–20 (2019)
Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: Proceedings of the 22nd USENIX conference on Security, pp. 273–288 (2013)
Giboney, J.S., Proudfoot, J.G., Goel, S., Valacich, J.S.: The security expertise assessment measure (seam): developing a scale for hacker expertise. Comput. Secur. 60, 37–51 (2016)
Ha-Thuc, V., et al.: Search by ideal candidates: next generation of talent search at linkedin. In: Proceedings of the 25th International Conference Companion on World Wide Web, pp. 195–198 (2016)
Hata, H., Guo, M., Babar, M.A.: Understanding the heterogeneity of contributors in bug bounty programs. In: 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 223–228. IEEE (2017)
Hughes, S.: How we data-mine related tech skills (2015). https://insights.dice.com/2015/03/16/how-we-data-mine-related-tech-skills/?ads_kw=idf
Javed, F., Hoang, P., Mahoney, T., McNair, M.: Large-scale occupational skills normalization for online recruitment. In: Twenty-Ninth IAAI Conference (2017)
Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 344. Wiley, New York (2009)
Kivimäki, I., et al.: A graph-based approach to skill extraction from text. In: Proceedings of TextGraphs-8 Graph-Based Methods for Natural Language Processing, pp. 79–87 (2013)
Liu, M., Wang, J., Abdelfatah, K., Korayem, M.: Tripartite vector representations for better job recommendation. arXiv preprint arXiv:1907.12379 (2019)
Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? revisiting eric raymond with bug bounty programs. J. Cybersecur. 3(2), 81–90 (2017)
Malladi, S.S., Subramanian, H.C.: Bug bounty programs for cybersecurity: practices, issues, and recommendations. IEEE Software 37(1), 31–39 (2019)
Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)
Miller, G.A.: Wordnet: a lexical database for English. Commun. ACM 38(11), 39–41 (1995)
Mumtaz, S.: People selection for crowdsourcing tasks: representational abstractions and matching techniques. Ph.D. thesis, School of Computer Science and Engineering, Faculty of Engineering, UNSW Sydney (2020)
Mumtaz, S., Rodriguez, C., Benatallah, B.: Expert2vec: experts representation in community question answering for question routing. In: International Conference on Advanced Information Systems Engineering, pp. 213–229 (2019)
Mumtaz, S., Rodriguez, C., Benatallah, B., Al-Banna, M., Zamanirad, S.: Learning word representation for the cyber security vulnerability domain. In: 2020 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2020)
Mumtaz, S., Wang, X.: Identifying top-k influential nodes in networks. In: the 26th ACM International Conference on Information and Knowledge Management, pp. 2219–2222 (2017)
Potter, L.E., Vickers, G.: What skills do you need to work in cyber security?: a look at the australian market. In: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, pp. 67–72 (2015)
Shankaralingappa, D.M., De Fransicsi Morales, G., Gionis, A.: Extracting skill endorsements from personal communication data. In: Proceedings of the 25th ACM International on Conference on Information and Knowledge Management, pp. 1961–1964 (2016)
Wang, Z., Li, S., Shi, H., Zhou, G.: Skill inference with personal and skill connections. In: Proceedings of COLING 2014, the 25th International Conference on Computational Linguistics: Technical Papers, pp. 520–529 (2014)
Zhang, C., et al.: Taxogen: unsupervised topic taxonomy construction by adaptive term embedding and clustering. In: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 2701–2709 (2018)
Zhao, M., Javed, F., Jacob, F., McNair, M.: Skill: a system for skill identification and normalization. In: Twenty-Seventh IAAI Conference (2015)
Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1105–1117 (2015)
Zhou, W., Zhu, Y., Javed, F., Rahman, M., Balaji, J., McNair, M.: Quantifying skill relevance to job titles. In: 2016 IEEE International Conference on Big Data (Big Data), pp. 1532–1541. IEEE (2016)
Acknolwedgement
This research was done in the context of the first author’s Ph.D. thesis [22]. We thank Scientia Prof. Boualem Benatallah for the useful feedbacks provided on this work.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Mumtaz, S., Rodriguez, C., Zamanirad, S. (2021). Security Professional Skills Representation in Bug Bounty Programs and Processes. In: Hacid, H., et al. Service-Oriented Computing – ICSOC 2020 Workshops. ICSOC 2020. Lecture Notes in Computer Science(), vol 12632. Springer, Cham. https://doi.org/10.1007/978-3-030-76352-7_33
Download citation
DOI: https://doi.org/10.1007/978-3-030-76352-7_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-76351-0
Online ISBN: 978-3-030-76352-7
eBook Packages: Computer ScienceComputer Science (R0)