Understanding the Heterogeneity of Contributors in Bug Bounty Programs

@article{Hata2017UnderstandingTH,
  title={Understanding the Heterogeneity of Contributors in Bug Bounty Programs},
  author={Hideaki Hata and M. Guo and Muhammad Ali Babar},
  journal={2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)},
  year={2017},
  pages={223-228}
}
  • Hideaki Hata, M. Guo, M. Babar
  • Published 19 September 2017
  • Computer Science
  • 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug… Expand
Bug Bounty Programs – A Mapping Study
TLDR
Based on the 72 identified papers, it is concluded that the research has been focused on the organisation of bug bounties from the product owner perspective, rather than on bug hunters and the market for bugs. Expand
A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities
TLDR
The empirical results based on a dataset covering nearly 160 thousand web vulnerabilities suggest that OBB has been successful as a community-based platform for the dissemination of web vulnerabilities, but there exists a large productivity gap, which likely relates to a knowledge gap and the use of automated tools for web vulnerability discovery. Expand
Bounties in Open Source Development on GitHub: A Case Study of Bountysource Bounties
TLDR
This paper investigates bounties in open source projects on GitHub to better understand how bounties can be leveraged to evolve such projects in terms of addressing issue reports and finds that issue reports are more likely to be addressed if they are for projects in which bounties are used more frequently and if they were proposed earlier. Expand
Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure: An Empirical Analysis
TLDR
The research findings suggest that BBPs are valuable opportunities to source vulnerabilities in software; nevertheless, the rate of disclosure and hacker participation marginally increases with vendor's rewards and other incentives. Expand
"You've Got Your Nice List of Bugs, Now What?" Vulnerability Discovery and Management Processes in the Wild
TLDR
It is found that organizations often struggle with vulnerability remediation and that vulnerability discovery efforts are hindered by significant trust, communication, funding, and staffing issues. Expand
Direct Bug Bounty Rewards Bugs Disclosure Vendor Platform xy B . 1 Two-Sided Bug Bounty Platform Rewards Rewards BugsBugs Disclosure Disclosure Vendor Platform xy B . 2 One-Sided Bug Bounty Platform Rewards BugsBugs
Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on theExpand
Studying the Association between Bountysource Bounties and the Issue-addressing Likelihood of GitHub Issue Reports
TLDR
This paper investigates bounties in open source projects on GitHub to better understand how bounties can be leveraged to evolve such projects in terms of addressing issue reports and finds that issue reports are more likely to be addressed if they are for projects in which bounties are used more frequently and if they were proposed earlier. Expand
Bounties on technical Q&A sites: a case study of Stack Overflow bounties
TLDR
This study studies 129,202 bounty questions that were proposed by 61,824 bounty backers and shows that while bounties are not a silver bullet for getting a question solved, they are associated with a higher solving-likelihood of a question in most cases. Expand
Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures
TLDR
The analysis suggests that incentivizing hackers in market mechanisms change hackers' motivations, leading to behavioral changes and eventually giving firms more control over the disclosure process. Expand
Reputation Gaming in Stack Overflow
TLDR
A comprehensive study of the reported types of reputation manipulation scenarios that might be exercised in Stack Overflow and the prevalence of such reputation gamers by qualitative study of 1,697 posts from meta Stack Exchange sites is offered. Expand
...
1
2
...

References

SHOWING 1-10 OF 20 REFERENCES
Towards understanding an open-source bounty: Analysis of Bountysource
TLDR
This research analyzes Bountysource to clarify how bounties act in open source software projects and discusses further research topics in open-source bounties. Expand
Analysis of Donations in the Eclipse Project
TLDR
Analysis of the Eclipse project found that benefits can be motivations for donations, and although the number of developers is small in all donors, they donated more than others, and new releases are triggers of donations, but bugs negatively affect the amount of donations. Expand
Developer initiation and social interactions in OSS: A case study of the Apache Software Foundation
TLDR
It is found that it is easier to become a committer earlier in the projects life cycle than it is later as the project matures, and the social network metrics, in particular the amount of two-way communication a person participates in, are more significant predictors of one’s likelihood to becoming a Committer. Expand
Crowdsourcing in software engineering: models, motivations, and challenges
TLDR
This talk explores the models of crowdsourcing that have been applied to software development to date and outlines some of the opportunities that exist for the future. Expand
An Empirical Study of Web Vulnerability Discovery Ecosystems
TLDR
This paper collects publicly available data of two representative web vulnerability discovery ecosystems (Wooyun and HackerOne) and finds that both ecosystems include large and continuously growing white hat communities which have provided significant contributions to organizations from a wide range of business sectors. Expand
Toward an understanding of the motivation of open source software developers
  • Y. Ye, K. Kishida
  • Computer Science
  • 25th International Conference on Software Engineering, 2003. Proceedings.
  • 2003
TLDR
It is theorized that learning is one of the motivational forces that motivates people to participate in OSS communities, and is grounded in the learning theory of Legitimate Peripheral Participation and is supported by analyzing the social structure of O SS communities and the co-evolution between OSS systems and communities. Expand
An Empirical Study of Vulnerability Rewards Programs
TLDR
An empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities, comparing favorably to the cost of hiring full-time security researchers. Expand
Vulnerability severity scoring and bounties: why the disconnect?
TLDR
A weak correlation is found between CVSS scores and bounty awarded for 703 vulnerabilities across 24 products and it is found that bounty valuations are evaluated solely by project maintainers, whereas CVSS has little provenance in practice. Expand
Evolution patterns of open-source software systems and communities
TLDR
A case study of four typical OSS projects is conducted, and it is found that while collaborative development within a community is the essential characteristic of OSS, different collaboration models exist, and that the difference in collaboration model results in different evolution patterns of O SS systems and communities. Expand
Achieving Quality in Open-Source Software
TLDR
This article reviews this body of research and draws out lessons learned, investigating how the approaches used to deliver high-quality OSS differ from, and can be incorporated into, closed-source software development. Expand
...
1
2
...