Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

Problems and Solutions of the Korean Bug Bounty Program

한국 버그 바운티 프로그램의 제도적인 문제점과 해결방안

  • 박혜성 (고려대학교 정보보호대학원 정보보호학과) ;
  • 권헌영 (고려대학교 정보보호대학원 정보보호학과)
  • Received : 2019.08.04
  • Accepted : 2019.11.04
  • Published : 2019.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

As information security becomes more important as the fourth industrial revolution gradually emerges, an efficient and effective way to find vulnerabilities in information systems is becoming an essential requirement of information security. As the point of the protection of current information and the protection of the future industry, the Korean government has paid attention to the bug bounty, which has been recognized for its efficiency and effectiveness and has implemented through the Korea Internet Security Agency's S/W vulnerability bug bounty program. However, there are growing problems about the S/W vulnerability bug bounty program of the Korea Internet Security Agency, which has been operating for about 7 years. The purpose of this study is to identify the problems in Korean bug bounty policies through the characteristics of the bug bounty program, and to suggest the direction of the government's policy to activate the bug bounty like changes in the government's approach utilizing the market.

Keywords

References

  1. 강효상, "정보통신망 이용촉진 및 정보보호 등에 관한 법률 일부개정법률안(강효상의원 등 11인, 의안번호 951)", 2016. 7. 18, http://likms.assembly.go.kr/bill/billDetail.do?billId=PRC_F1H6W0P7Q1Y8C1W4Z0Y1Z4C3G6N0Z1.
  2. 과학기술정보통신부, KISA, "S/W 신규 취약점 신고 포상제 운영 안내서", 2019, https://www.krcert.or.kr/consult/software/vulnerability.do?orgSiteUrl=.
  3. 국회사무처, "제 354회 국회(정기회) 과학기술정보 방송통신위원회회의록(정보통신방법법안심사소위원회) 제2호", 2017. 11. 29, http://likms.assembly.go.kr/bill/billDetail.do?billId=PRC_F1H6W0P7Q1Y8C1W4Z0Y1Z4C3G6N0Z1.
  4. 김석태, "정부실패", 한국행정논집, 제4권, 1992, 1-16.
  5. 김용환, "시장경제의 논리와 공평사회의 윤리", 윤리연구, 제81권, 2011, 103-127.
  6. 김재일, 박상철, 홍수지, "크라우드소싱 플랫폼 창업 사례 연구-브로스앤컴퍼니를 중심으로", Korea Business Review, 제23권, 제1호, 2019, 29-56. https://doi.org/10.17287/kbr.2019.23.1.29
  7. 김진영, 김민용, "모바일서비스 플랫폼의 양면시장 형성단계에 관한 연구-카카오톡 사례를 중심으로", 인터넷전자상거래연구, 제13권, 제4호, 2013, 147-173.
  8. 김호기, "국내 공공주택 정책 및 구축효과에 관한 연구", 한국행정학회 제2014년 동계학술발표논문집, 2014, 2280-2289.
  9. 대법원 2005 11. 25. 선고 2005도 870 판결.
  10. 동아일보, "발목 잡힌 '버그바운티'... 결함 지적에 보상은 커녕 처벌 위협" 2017. 12. 13, http://news.donga.com/3/all/20171212/87703160/1.
  11. 매일경제, "보안 취약점 신고 포상금 작년 2.5억... '기업 참여 확대' ", 2018. 9. 2, https://www.mk.co.kr/news/it/view/2018/09/552028/.
  12. 박재완, " '좋은 행정'에서 본 행정현장과 행정학의 과제 : 정부실패를 중심으로", 행정논총, 제54권, 제4호, 2016, 39-68.
  13. 박종선, 김형준, "대중이 지각한 크라우드소싱의 과업 특성이 참여의도에 미치는 영향에 관한 연구", 소비문화연구, 제18권, 제4호, 2015, 49-67.
  14. 백동현, 김용훈, "지방자치단체 공공서비스 구축효과(驅逐效果) 분석", 지방행정연구, 제27권, 제1호, 2013, 249-272.
  15. 변재일, 의원실, "'소프트웨어 보안 취약점 신고포상제' 지원액 상위 10개 업체 중 3개 업체 최근 개인정보유출 등 침해사고 발생, 제도 취지 무색", 2017. 10. 17, http://theminjoo.kr/inspectionDetail.do?nt_id=16&bd_seq=83620.
  16. 서울경제, "한국인터넷진흥원 '내년 민간 기업과 해킹 대회 추진' ", 2018. 12. 19, https://www.sedaily.com/NewsView/1S8IXJGBEU/GD05.
  17. 신대규, "SW 보안취약점 신고포상제 소개", http://secuinside.com/archive/2016/2016-2-8.pdf (Accessed August 1 2019).
  18. 유광길, 정경구, "시장실패이론이 한국스포츠산업에 주는 함의", 한국체육과학회지, 제22권, 제3호, 2013, 709-718.
  19. 윤정인, "크라우드소싱(Crowdsourcing)에 의한 헌법개정-아이슬란드의 헌법적 실험을 중심으로-", 세계헌법연구, 제23권, 2017, 1-24.
  20. 이철남, "소프트웨어 저작권과 오픈소스 라이선스, 그리고 특허", 한국통신학회지(정보와통신), 제35권, 제5호, 2018, 60-66.
  21. 조재홍, 김태열, "국내 공개SW 생태계 송장 장애요인과 활성화 정책 방향", 정보과학회지, 제35권, 제9호, 2017, 9-16
  22. 지디넷코리아, "보안취약점 신고포상제, SW $\rightarrow$ 서비스로 확대돼야", 2018. 9. 5, https://m.zdnet.co.kr/news_view.asp?article_id=20180905152002.
  23. 116th Congress(2019-2020), "H.R.328-Hack Your State Department Act", 2019, https://www.congress.gov/bill/116th-congress/house-bill/328(Accessed August 1 2019).
  24. Ablon, L. and M. Libicki, "Hacker's Bazaar : The Markets for Cybercrime Tools and Stolen Data", Defense Counsel Journal, Vol.82, No.2, 2015, 143-152. https://doi.org/10.12690/0161-8202-82.2.143
  25. Bohme, R., "Vulnerability Markets-What is the economic value of a zero-day exploit?", Paper given at the 2005 Chaos Communication Congress Berlin, Germany, 2005, http://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets.pdf.
  26. Bugcrowd, "2018 STATE OF BUGBOUNTY : Bugcrowd's fourth annual report on the global crowdsourced security economy", 2018, https://www.bugcrowd.com/.
  27. Chatfielda, A.T. and C.G. Reddick, "Crowdsourced cybersecurity innovation : The case of the Pentagon's vulnerability reward program", Information Polity : The International Journal of Government and Democracy in the Information Age, Vol.23, No.2, 2018, 187-188.
  28. Finifter, M., D. Akhawe, and D. Wagner, "An empirical study of vulnerability rewards programs", the Proceedings of the 22nd USENIX Security Symposium, 2013, 279-282.
  29. Hackerone, "Hack the Pentagon", 2016, https://hackerone.com/resources/hack-the-pentagon.
  30. Hackerone, "THE HACKER-POWERED SECURITY REPORT 2017", 2017, https://www.hackerone.com/.
  31. Hayek, F.A., "Studies in Philosophy, Politics and Economics", University of Chicago Press, Chicago, 1967.
  32. Howe, J., "CROWDSOURCING; Why the Power of the Crowd is Driving the Future of Business", Crown Business, New York, 2008.
  33. IT 동아, "KISA 해킹할 화이트 해커를 모집합니다", 2018. 9. 3, http://it.donga.com/28116/.
  34. Kesan, J.P. and Hayes, C.M., "Bugs in the Market : Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities", Arizona Law Review, Vol. 58, No.3, 2016, 810-821.
  35. KISA, "웹 취약점 분석 및 기술지원", 2015. 08. 27, https://www.kisa.or.kr/public/library/report_View.jsp?regno=021520&searchType=&searchKeyword=&pageIndex=6.
  36. Kuehn, A. and M. Mueller, "Analyzing Bug Bounty Programs : An Institutional Perspective on the Economics of Software Vulnerabilities", 2014 TP RC Conference Paper, 2014.
  37. Reda, J., "In January, the EU starts running Bug Bounties on Free and Open Source Software", 2018. 12. 27, https://juliareda.eu/2018/12/eu-fossa-bug-bounties/.
  38. Reda, J., "The FOSSA project: improving Free Software security in the EU", 2019. 1. 16, https://juliareda.eu/fossa/.
  39. Ruohonen, J. and L. Allodi, "A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities", Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, 2018.
  40. Synact, "Hack The Pentagon Case Study", 2018, https://www.synack.com/government/.
  41. Techworm, "18 year-old hacks Pentagon, gets praised by government for finding bugs", 2016. 6. 19, http://www.techworm.net/2016/06/18-year-old-hacks-pentagon-gets-praised-finding-bugs.html.
  42. U.S. Department of Defense, "DoD announces 'Hack the Pentagon' follow-up initiative", 2016. 10. 20, https://www.defense.gov/News/Article/Article/981160/dod-announces-hackthe-pentagon-follow-up-initiative.
  43. W3C, "Web Services Architecture", W3C Working Group Note 11, 2004, w3.org/TR/wsarch/#whatis.
  44. Wolf, C., "Markets or Non-Market Failures : Comparison and Assessment", Journal of Public Policy, Vol.7, No.1, 1988, 43-70. https://doi.org/10.1017/S0143814X00004347