自建或第三方:漏洞赏金计划的平台选择策略研究  

作　　者：赵柳榕[1] 许梓旺 蒋铭敏 ZHAO Liu-rong;XU Zi-wang;JIANG Ming-min(School of Economics and Management,Nanjing Tech University,Nanjing 211816,China)

机构地区：[1]南京工业大学经济与管理学院,江苏南京211816

出　　处：《数学的实践与认识》2025年第2期18-27,共10页Mathematics in Practice and Theory

基　　金：教育部人文社科基金青年项目(22YJC630214);国家自然科学基金青年项目(71801125)。

摘　　要：作为新兴的漏洞管理模式,依托安全应急响应中心(SRC)发布的漏洞赏金计划被企业高度关注,如何选择合适的平台实施漏洞赏金计划应对愈发严峻的网络安全威胁,成为了重要议题.通过构建不同平台中利益相关者的博弈模型,分析影响企业实施漏洞赏金计划的相关因素,探究其对赏金和漏洞报告质量的作用机理.结果表明,在自建SRC情境下,随着漏洞报告数量和合同条款水平的增加,赏金和漏洞报告质量也增加,但会随着复审响应时间的增加而减少.在第三方SRC情境下,随着漏洞报告数量的增加,赏金也增加,但会随着合同条款水平和复审响应时间的增加而减少;漏洞报告质量则随着漏洞报告数量和合同条款水平的提高而提高.当合同条款信息水平较低时,自建SRC情境下企业可通过较低赏金实施漏洞赏金计划,但无法获取第三方SRC时更高的漏洞报告质量;当合同条款信息水平和第三方SRC平台风险补偿较高时,第三方SRC情境下企业可获取更高的效益和漏洞报告质量.As an emerging vulnerability management model,the bug bounty program released by Security Emergency Response Centre(SRC)has been highly concerned by enterprises,and how to choose a suitable platform to implement the bug bounty program to cope with the increasingly severe cybersecurity threats has become an important issue.In this paper,we analyze the factors affecting the implementation of bug bounty programs in enterprises by constructing game models of stakeholders in different platforms,and explore the mechanism of their effects on the quality of bounties and vulnerability reports.The results show that in the self-built SRC scenario,as the number of vulnerability reports and the level of contract terms increase,the quality of bounty and vulnerability report also increases,but decreases with the increase of review response time.In the third-party SRC scenario,the bounty increases as the number of vulnerability reports increases,but decreases as the level of contract terms and review response time increase;the quality of vulnerability reports increases as the number of vulnerability reports and the level of contract terms increase.When the level of contract terms information is low,enterprises in the self-built SRC scenario can implement bug bounty programs with lower bounties,but cannot obtain higher vulnerability report quality in the third-party SRC;when the level of contract terms information and the risk compensation of the third-party SRC platform are high,enterprises in the third-party SRC scenario can obtain higher benefits and vulnerability report quality.

关 键 词：自建SRC 第三方SRC 漏洞赏金计划 赏金 漏洞报告质量 

分 类 号：TP3[自动化与计算机技术—计算机科学与技术]