US 9015847 B1 - Computer System For Distributed Discovery Of Vulnerabilities In Applications - The Lens

Computer System For Distributed Discovery Of Vulnerabilities In Applications

Published: Apr 21, 2015
Earliest Priority: May 06 2014
Family: 15
Cited Works: 1
Cited by: 20
Cites: 6
Additional Info: Full text

Abstract

In one aspect, the disclosure provides: A method comprising: inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher; determining and providing an award to the particular researcher in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher.

Claims

A data processing method comprising:
using a computer, inviting a distributed plurality of researcher computers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party;

using the computer, assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher computer from among a subset of the researcher computers;

using control logic that is logically interposed between the particular researcher computer and the particular network under test, monitoring networked data communications between the particular researcher computer and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;

validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher computer;

wherein the validating comprises attempting duplication of the candidate security vulnerability after receiving the report;

performing one or more remediation operations on the particular network under test based at least in part upon the report;

wherein the method is performed using one or more computing devices.
The method of claim 1 comprising updating, based upon the report, an automated scanning system that is communicatively coupled to the control logic and to the particular network under test.
The method of claim 1 comprising, using the computer, assessing one or more of reputation and skills of one or more researchers who are associated with the researcher computers, and accepting as the subset only those the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities.
The method of claim 1 comprising determining and providing an award to the particular researcher computer in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher computer.
The method of claim 4 comprising:
determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher computer, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;

based upon the vulnerability score, determining and providing the award.
The method of claim 4 comprising:
determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher computer, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;

mapping the vulnerability score to a particular award that is within a range of a minimum award value and a maximum award value that are stored in a record identifying the candidate security vulnerability in a database;

based upon the mapping, determining and providing the particular award.
The method of claim 6 comprising:
determining and providing a plurality of awards of different amounts of points to the particular researcher computer in response to validating a plurality of different reports of different candidate security vulnerabilities that are received from the same particular researcher computer at different times within a period;

determining and providing an additional award to the same particular researcher when a sum of the different amounts of points awarded within the period is greater than a specified threshold.
The method of claim 1 comprising:
assigning two different particular computer vulnerability research projects, relating to two different particular networks under test, to two different geographically distant particular researcher computers from among the subset of the researcher computers;

using a computer that is logically interposed between the two different particular researcher computers and the particular network under test, monitoring communications between the two different particular researcher computers and the two different particular networks under test, wherein the communications relate to attempting to identify two different candidate security vulnerabilities of the two different particular networks under test;

validating two different reports of the two different candidate security vulnerability of the two different particular networks under test that are received respectively from the two different particular researcher computers;

determining and providing two different awards to the two different particular researcher computers in response to successfully validating the reports.
The method of claim 1 comprising:
validating the particular security vulnerability by re-performing, on a target computer of the particular network under test, one or more operations that are identified in the report;

providing a validated report of the security vulnerability to an administrator computer that is associated with the particular network under test.
The method of claim 1 comprising:
assigning one particular computer vulnerability research project, relating to a particular network under test, to two different particular researcher computers from among the subset of the researcher computers;

using the control logic, monitoring communications between the two different particular researcher computers and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;

receiving two different reports of the same candidate security vulnerability of the particular network under test from the two different particular researcher computers respectively;

validating a first report of the candidate security vulnerability of the particular network under test that is received from a first particular researcher computer;

determining that a second report, received from a second particular researcher computer, of the candidate security vulnerability is a duplicate report;

determining and providing the award only to the first particular researcher computer in response to successfully validating the first report.
The method of claim 1 comprising receiving, from an automated scanning system that is communicatively coupled to the control logic and to the particular network under test, one or more scanning reports based upon performing scanning operations on the particular network under test, and using the one or more scanning reports to provide baseline vulnerability data for the one or more computer vulnerability research projects.
A computer system comprising:
a first computer that is communicatively coupled to a plurality of networks under test, an automated scanning system and a vulnerability database, and that is logically interposed in a network topology between the plurality of networks under test and a distributed plurality of researcher computers;

one or more non-transitory computer-readable storage media in the first computer storing one or more sequences of instructions which when executed cause performing:
using the first computer, inviting the distributed plurality of researcher computers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party;

assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher computer from among a subset of the researcher computers;

using a second computer, monitoring networked data communications between the particular researcher computer and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;

validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher computer;

wherein the validating comprises attempting duplication of the candidate security vulnerability after receiving the report;

performing one or more remediation operations on the particular network under test based at least in part upon the report.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause updating, based upon the report, an automated scanning system that is communicatively coupled to the control logic and to the particular network under test.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause, using the first computer, assessing one or more of reputation and skills of one or more researchers who are associated with the researcher computers, and accepting as the subset only those the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause determining and providing an award to the particular researcher computer in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher computer.
The computer system of claim 15, the storage media comprising sequences of instructions which when executed cause:
determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher computer, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;

based upon the vulnerability score, determining and providing the award.
The computer system of claim 15, the storage media comprising sequences of instructions which when executed cause:
determining a vulnerability score for the candidate security vulnerability of the particular network under test that is received from the particular researcher computer, wherein the vulnerability score indicates a relative importance of the candidate security vulnerability;

mapping the vulnerability score to a particular award that is within a range of a minimum award value and a maximum award value that are stored in a record identifying the candidate security vulnerability in a database;

based upon the mapping, determining and providing the particular award.
The computer system of claim 17, the storage media comprising sequences of instructions which when executed cause:
determining and providing a plurality of awards of different amounts of points to the particular researcher computer in response to validating a plurality of different reports of different candidate security vulnerabilities that are received from the same particular researcher computer at different times within a period;

determining and providing an additional award to the same particular researcher when a sum of the different amounts of points awarded within the period is greater than a specified threshold.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
assigning two different particular computer vulnerability research projects, relating to two different particular networks under test, to two different geographically distant particular researcher computers from among the subset of the researcher computers;

using a computer that is logically interposed between the two different particular researcher computers and the particular network under test, monitoring communications between the two different particular researcher computers and the two different particular networks under test, wherein the communications relate to attempting to identify two different candidate security vulnerabilities of the two different particular networks under test;

validating two different reports of the two different candidate security vulnerability of the two different particular networks under test that are received respectively from the two different particular researcher computers;

determining and providing two different awards to the two different particular researcher computers in response to successfully validating the reports.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
validating the particular security vulnerability by re-performing, on a target computer of the particular network under test, one or more operations that are identified in the report;

providing a validated report of the security vulnerability to an administrator computer that is associated with the particular network under test.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause:
assigning one particular computer vulnerability research project, relating to a particular network under test, to two different particular researcher computers from among the subset of the researcher computers;

using the control logic, monitoring communications between the two different particular researcher computers and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test;

receiving two different reports of the same candidate security vulnerability of the particular network under test from the two different particular researcher computers respectively;

validating a first report of the candidate security vulnerability of the particular network under test that is received from a first particular researcher computer;

determining that a second report, received from a second particular researcher computer, of the candidate security vulnerability is a duplicate report;

determining and providing the award only to the first particular researcher computer in response to successfully validating the first report.
The computer system of claim 12, the storage media comprising sequences of instructions which when executed cause: receiving, from an automated scanning system that is communicatively coupled to the first computer and to the particular network under test, one or more scanning reports based upon performing scanning operations on the particular network under test, and using the one or more scanning reports to provide baseline vulnerability data for the one or more computer vulnerability research projects.