Borneo International Journal eISSN 2636-9826

A Qualitative Document Analysis of Public Vulnerability Disclosure and Bug Bounty Policies from Selected Technology Companies

Ruhaifi Zainol, Mohamad Fadli Zolkipli — Thu, 04 Jun 2026 16:29:45 +0000

Public vulnerability disclosure policies and bug bounty programmes are now common instruments of cybersecurity governance, but the quality of these documents varies in ways that affect researcher participation, organisational accountability, and user protection. This paper re-examines public vulnerability disclosure and bug bounty policies from selected technology companies through qualitative document analysis. The analysis treats policy documents not as routine support pages, but as organisational texts that define authorised conduct, allocate risk, communicate trust, and structure the practical relationship between companies and external security researchers. The study focuses on six dimensions: scope, reporting procedure, safe-harbour protection, reward logic, disclosure timing, and response transparency. The paper finds that public policies commonly perform two roles at once. On the surface, they invite cooperation and signal openness to external security reporting. At a deeper level, they preserve organisational control through eligibility rules, exclusions, conditional legal protection, discretionary reward decisions, and open-ended remediation timelines. This tension is consistent with prior research showing that vulnerability disclosure is shaped not only by technical discovery, but also by incentives, market design, vendor response behaviour, legal uncertainty, and trust between organisations and researchers. The paper argues that policy maturity should therefore be assessed by documentary quality rather than by visibility alone. A mature policy should provide clear scope, credible safe harbour, usable reporting instructions, transparent triage expectations, proportionate disclosure rules, and fair reward criteria. These features do not remove company control, but they make that control more predictable and accountable. The analysis concludes that disclosure and bounty policies are operational governance instruments, and that weak drafting can reduce the practical value of otherwise well-intentioned cybersecurity programmes.

Keywords: bug bounty, coordinated vulnerability disclosure, cybersecurity governance, document analysis, safe harbour, vulnerability disclosure

Zero-Knowledge Proofs in Penetration Testing: Verifying Vulnerabilities Without Revealing Sensitive Information

Yuchong Cui, Mohamad Fadli Zolkipli — Thu, 04 Jun 2026 16:33:43 +0000

In penetration testing practice, vulnerability verification usually relies on the reproduction of the exploitation process orthe description of the attack path. Although this method can provide direct evidence of the authenticity of thevulnerability, it may also introduce additional risks if the vulnerability is not repaired or involves sensitive systems,such as the abuse of the attack method or the internal system. The information was overexposed. Therefore, how tominimise information disclosure while ensuring the validity of verification has gradually become a practical problemthat needs to be faced in the process of security assessment. Focussing on this contradiction, zero-knowledge proofprovides a technical path different from the traditional way of thinking. Its basic idea is not to hide the informationitself, but to transform the question of "whether the loophole can be triggered" into a formal proposition by changingthe verification method, and verify it through the proof mechanism, so as not to disclose the specific On the premise ofinputting, executing the path or using the details, the verifier can confirm the existence of the vulnerability. Based onthis idea, this article analyses the application of zero-knowledge proof in vulnerability verification in combination withthe typical process in penetration testing. It focusses on the formal modelling method of vulnerability exploitationprocess, the construction method of constraint system, and the proof generation and verification mechanism, andfurther combines existing research to disclose vulnerabilities, Sort out the application possibilities in scenarios such astest result verification and software supply chain security. The analysis results show that this method has certainadvantages in reducing the risk of sensitive information leakage and enhancing the independence of the verificationprocess. It is especially suitable for environments with weak multi-party participation or trust. However, at the sametime, it still has certain limitations in terms of computing overhead, model expression ability and engineeringrealisation complexity. Relevant questions The question needs to be weighed according to the specific scenario inpractical application, and needs to be further improved by follow-up research.

Keywords: zero-knowledge proof(ZKP); penetration test; vulnerability verification; information disclosure control;software supply chain security

Comparison of the Efficacy of Capture The Flag (CTF) in Gamified Cybersecurity Training in Corporate Workforce

Abdikani Osman Abdalla, Mohamad Fadli Zolkipli — Thu, 04 Jun 2026 16:36:28 +0000

Gamified cybersecurity education techniques, especially Capture The Flag (CTF) games, have become a growing example of alternative to conventional compliance-based awareness initiatives in business settings. Although they have been increasingly popular, little has been studied on their long-term return on investment (ROI) in actual organizational contexts. In this paper, the impact of CTF-based training relative to traditional cybersecurity training is assessed based on such key performance indicators as knowledge retention, behavioural change, and financial outcomes. To synthesize the existing evidence on training effectiveness and ROI-related measures, a systematic review of 22 peer‑reviewed sources published within the period of 2021-2026 was developed. The results show that CTF based consistently outperforms, such as better knowledge retention, better engagement and reduced vulnerability to phishing attacks. Moreover, gamified training strategies show possible economic advantages in the form of a decrease in security attacks and a higher level of employee readiness. Longitudinal research in corporate sittings, however, is not abundant, especially where full-time employees are studied and the duration of evaluation is more than twelve months. To fill this gap, this paper suggests the use of a multidimensional ROI evaluation system that incorporates pre and post training evaluations, behavioural monitoring, incident monitoring and post training follow ups at 3, 6 and 12 months. The framework proposed provides a viable methodology that would assist the organizations to determine the success of the training conducted in CTF and enable them to make informed decisions concerning cybersecurity investment.

Serverless Security Misconfigurations in Event-Driven Architectures

Marhakim Mohamad Mokhtar, Mohamad Fadli Zolkipli — Thu, 04 Jun 2026 16:40:08 +0000

The proliferation of serverless computing and Function-as-a-Service (FaaS) architectures has fundamentally transformed cloud-native application development, enabling unprecedented scalability and operational efficiency. However, the abstraction of underlying infrastructure has introduced a distinct attack surface characterized by critical security misconfigurations, inadequate runtime isolation, and complex privilege escalation vectors. This systematic review examines emerging security threats and modern defense mechanisms within event-driven serverless architectures, specifically focusing on AWS Lambda and Azure Functions environments. Through comprehensive analysis of recent literature (2020–2025) and industry reports, this study identifies five critical protection domains: runtime isolation vulnerabilities, Denial-of-Wallet (DoW) attacks, supply chain risks in function dependencies, over-privileged Identity and Access Management (IAM) configurations, and cross-tenant data leakage. The analysis reveals significant gaps in Backend-as-a-Service (BaaS) orchestration layer security and highlights the transition toward lightweight Trusted Execution Environments (TEEs), microVM-based isolation (Firecracker), and agentless monitoring solutions. This review evaluates the efficacy of emerging defenses including WebAssembly sandboxing, artificial intelligence-driven anomaly detection, and zero-trust architectures in mitigating sophisticated attacks while maintaining serverless performance characteristics. This review contributes a holistic security framework that addresses the intersection of event-driven workflows and serverless misconfigurations, providing actionable insights for practitioners and researchers navigating the evolving threat landscape of 2024–2025. The findings underscore the necessity for defense mechanisms that balance security rigor with the energy efficiency and cold-start latency requirements inherent to serverless paradigms.

A Conceptual Framework for Smart Contract Vulnerability Detection: Automated Auditing Tools vs. Ethical Hacking in DeFi Protocols

Norsyazwani Binti Mohd Puad, Mohamad Fadli Zolkipli — Fri, 05 Jun 2026 08:24:36 +0000

Smart contracts are the foundational pillars of Decentralized Finance (DeFi), yet their immutable nature makes them high-value targets for exploitation. This study proposes a conceptual framework that integrates automated auditing tools—utilizing static analysis, symbolic execution, and fuzzing—with manual ethical hacking methodologies. Through systematic literature mapping and STRIDE-based threat modeling, this research evaluates the efficacy of these techniques in identifying critical vulnerabilities such as reentrancy and integer overflows. The findings reveal that while automated tools offer unparalleled scalability, they significantly lack the contextual logic awareness required to detect complex business logic flaws. Consequently, this paper argues for a hybrid security posture, transitioning from traditional infrastructure-centric defense to an identity and logic-centric paradigm. The framework serves as a structured roadmap for cybersecurity practitioners and researchers to enhance the resilience of blockchain ecosystems.