Understanding the Heterogeneity of Contributors in Bug Bounty Programs

Hata, Hideaki; Guo, Mingyu; Babar, Muhammad Ali

doi:10.1109/esem.2017.34

Cited by 26 publications

(17 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The insufficient report quality is a casualty of first-come firstserved response to verified submissions, with hackers sometimes racing to submit a vulnerability. With many hackers concentrating on capitalising from their skills economically, many look to maximise the number of submissions rather than focusing on specific vulnerabilities (Hata et al, 2017). Potentially, this issue is encouraged with admission to private programs.…”

Section: Bug Bounty Issuesmentioning

confidence: 99%

“…Without greater incentivisation to outweigh the decreased probability to discover bugs, there is a potential problem with incomplete coverage possibly leading to a false perception of security. The heterogeneity of hacker skillsets may mitigate this problem to some extent (Hata et al, 2017).…”

Section: Bug Bounty Issuesmentioning

confidence: 99%

“…However, this process does introduce specific threats arising from the introduction of individuals upstream other than the vendor (Hata et al, 2017).…”

Section: Direct Crowd-vetted Bug Bountymentioning

confidence: 99%

“…Bug bounty participants are heterogeneous, with the majority never achieving a successful submission (Hata et al, 2017). However, in the proposed method, these less successful participants can still contribute to the program through the verification process.…”

Section: Aspects Of Gamificationmentioning

confidence: 99%

See 3 more Smart Citations

Proposal of a Novel Bug Bounty Implementation Using Gamification

O'Hare¹,

Shepherd²

2020

Preprint

View full text Add to dashboard Cite

Despite significant popularity, the bug bounty process has remained broadly unchanged since its inception, with limited implementation of gamification aspects. Existing literature recognises that current methods generate intensive resource demands, and can encounter issues impacting program effectiveness. This paper proposes a novel bug bounty process aiming to alleviate resource demands and mitigate inherent issues. Through the additional crowdsourcing of report verification where fellow hackers perform vulnerability verification and reproduction, the client organisation can reduce overheads at the cost of rewarding more participants. The incorporation of gamification elements provides a substitute for monetary rewards, as well as presenting possible mitigation of bug bounty program effectiveness issues. Collectively, traits of the proposed process appear appropriate for resource and budget-constrained organisations -such Higher Education institutions.

show abstract

Section: Bug Bounty Issuesmentioning

confidence: 99%

Section: Bug Bounty Issuesmentioning

confidence: 99%

“…However, this process does introduce specific threats arising from the introduction of individuals upstream other than the vendor (Hata et al, 2017).…”

Section: Direct Crowd-vetted Bug Bountymentioning

confidence: 99%

Section: Aspects Of Gamificationmentioning

confidence: 99%

See 2 more Smart Citations

Proposal of a Novel Bug Bounty Implementation Using Gamification

O'Hare¹,

Shepherd²

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…A number of companies and FLOSS projects rely on external parties to perform the security assessment of their software for reward called bug bounty program. It is reported that there are non-project-specific bug bounty hunters and they are different from traditional contributors who work on specific projects [10]. Nakasai et al studied the impact of budges donors will get and reported that monetary contributions have impact on software development processes [11].…”

Section: Introductionmentioning

confidence: 99%

Toward Sustainable Communities with a Community Currency – A Study in Car Sharing

Nakasai

Ikutani

Takata

et al. 2019

2019 20th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distribu

Self Cite

View full text Add to dashboard Cite

We consider Free/libre and open source software (FLOSS) as a common pool resource (CPR). In economics, CPRs are frequently associated with markets, and it is reported that without appropriate agreement, monitoring and sanction, the resource will be overused. Toward building sustainable communities in FLOSS development, we first study our car-sharing experiment at NAIST, as a common pool resource management. We report the details of the car uses in our experiment, and describe the design of our new system to make better CPR management.

show abstract