US 2017/0289174 A1 - Security Assessment Incentive Method For Promoting Discovery Of Computer Software Vulnerabilities - The Lens

Security Assessment Incentive Method For Promoting Discovery Of Computer Software Vulnerabilities

Published: Oct 5, 2017
Earliest Priority: May 06 2014
Family: 4
Cited Works: 0
Cited by: 0
Cites: 0
Additional Info: Full text

Abstract

In one aspect, the disclosure provides: A method comprising: assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in the distributed plurality of researchers wherein each researcher is associated with one or more tags in records that identify the researcher for one or more attributes; inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more computers; using a computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a network under test among the one or more computers, monitoring communications between the particular researcher and the particular third party computer, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer; in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability.

Claims

A computer-implemented data processing method comprising:
electronically inviting, using a Launch Point computer, a distributed plurality of researcher computers to identify computer vulnerabilities of one or more third party computer networks;

monitoring, using the Launch Point computer, communications between a particular researcher computer among the distributed plurality of researcher computers and a particular third party computer network among the one or more third party computer networks,

wherein the communications relate to identifying a security vulnerability of the particular third party computer network and the communications include electronic communications;

receiving, from the particular researcher computer, a report regarding security vulnerabilities of the particular third party computer network;

evaluating the report based on the monitored communications.
The computer-implemented data processing method of claim 1, wherein the monitoring comprises determining a number of network trips in the communications or a scope of access to the particular third-party computer network by the particular researcher computer in the communications.
The computer-implemented data processing method of claim 1, wherein the communications comprise any of: network data associated with the particular third party computer network that is accessed by the particular researcher computer; input data received from a user by the particular researcher computer in communicating with the particular third party computer network; network data that was dynamically generated by the particular third party computer network in communicating with the particular researcher computer; or packet flows between the particular researcher computer and the particular third party computer in the communications.
The computer-implemented data processing method of claim 3, the communications comprising network data associated with the particular third party computer network that is accessed by the particular researcher computer, including URLs of the network data associated with the particular third party computer network.
The computer-implemented data processing method of claim 3, the communications comprising input data received from a user by the particular researcher computer in communicating with the particular third party computer network, including information regarding keystrokes received by the particular researcher computer.
The computer-implemented data processing method of claim 3, the communications comprising network data that was dynamically generated by the particular third party computer network in communicating with the particular researcher computer, including URLs of the network data generated by the particular third party computer network.
The computer-implemented data processing method of claim 1, further comprising performing a remedial action on the particular third party computer network based on the evaluating.
The computer-implemented data processing method of claim 7, wherein the remedial action is a recommendation in the report.
The computer-implemented data processing method of claim 7, wherein performing the redial action comprises:
installing a software update on the particular third party computer network, or

updating system configuration data for the third party computer network.
The computer-implemented data processing method of claim 9, wherein updating system configuration data comprises:
reconfiguring a network topology of the third party computer network, or

reconfiguring an automatic attack detection system within the third party computer network.
The computer-implemented data processing method of claim 1,
wherein the report includes an executed questionnaire,

wherein the evaluating comprises comparing the report against a database of existing reports including other executed questionnaires and determining whether the security vulnerabilities have been previously reported.
The computer-implemented data processing method of claim 1, further comprising
delivering a result of evaluating to a client computer over a communication network,

wherein the report identifies one or more computer vulnerabilities of the third party computer network.
The computer-implemented data processing method of claim 12, further comprising
receiving status information regarding one of the one identified computer vulnerability from the client computer,

wherein the status information indicates whether the one computer vulnerability has been addressed.
The computer-implemented data processing method of claim 1, further comprising
performing an initial assessment of the one or more third party computer networks,

wherein the electronically inviting is based on a result of the performing.
The computer-implemented data processing method of claim 1, further comprising creating records of specific projects to identify computer vulnerabilities in the one or more third party computer networks.
The computer-implemented data processing method of claim 15, the records of specific projects including a description of specific computer assets in which the computer vulnerabilities are to be identified.
A computer-implemented data processing method, comprising:
generating, using an automated scanning system, baseline vulnerability data regarding one or more networks or computers communicatively coupled to the automatic scanning system;

electronically distributing, using a Launch Point computer, the baseline vulnerability data to a plurality of researcher computers over one or more communication networks,

wherein the researcher computers validate the vulnerability data against the one or more networks or computers;

receiving, from the researcher computers, feedback on validity of the vulnerability data;

updating the automated system based on the received feedback.
The computer-implemented data processing method of claim 17, wherein the updating comprises transforming the vulnerability data into a more generic form that is compatible with the automated scanning system.
A non-transitory machine-readable medium having instructions stored thereon, the instructions executable by the one or more processors to perform:
using a Launch Point computer, assessing a plurality of researchers as a precondition for receiving an invitation to be a researcher of a distributed plurality of researchers, resulting in forming the distributed plurality of researchers in which each researcher is associated in digitally stored data records with one or more tags that identify the researcher for one or more attributes;

using the Launch Point computer, electronically inviting a subset of the distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more third party computers that are owned or operated by a third party, the subset of the distributed plurality of researchers selected based on the one or more tags in records that identify the researcher and a description of the computer vulnerabilities of the one or more third party computers;

using the Launch Point computer that is communicatively coupled to a particular researcher among the subset of the distributed plurality of researchers and a particular third party computer under test among the one or more third party computers, monitoring communications between the particular researcher and the particular third party computer under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular third party computer under test and the communications include electronic communications;

in response to a report of the candidate security vulnerability of the particular third party computer that is received from the particular researcher, evaluating the report of the candidate security vulnerability based upon the candidate security vulnerability identified in the report by the particular researcher in the report and the monitored communications between the particular researcher and the particular third party computer under test.
The non-transitory machine-readable medium of claim 19, the instructions executable to further perform, using the Launch Point computer, comparing the one or more tags in records that identify the researcher for one or more attributes to a description of the one or more third party computers.