Citation
Aron Laszka, Mingyi Zhao, Jens Grossklags. "Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms". 21st European Symposium on Research in Computer Security (ESORICS), September, 2016.

Abstract
Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between white hats and organizations. To further improve the effectiveness of bug-bounty programs, we introduce a theoretical model for evaluating approaches for reducing the number of invalid reports. We develop an economic framework and investigate the strengths and weaknesses of existing canonical approaches for effectively incentivizing higher validation efforts by white hats. Finally, we introduce a novel approach, which may improve effi- ciency by enabling different white hats to exert validation effort at their individually optimal levels.

Electronic downloads

• http://aronlaszka.com/papers/laszka2016banishing.pdf

• HTML

  Aron Laszka, Mingyi Zhao, Jens Grossklags. <a
  href="http://www.cps-forces.org/pubs/251.html"
  >Banishing Misaligned Incentives for Validating Reports
  in Bug-Bounty Platforms</a>, 21st European Symposium
  on Research in Computer Security (ESORICS), September, 2016.

• Plain text

  Aron Laszka, Mingyi Zhao, Jens Grossklags. "Banishing
  Misaligned Incentives for Validating Reports in Bug-Bounty
  Platforms". 21st European Symposium on Research in
  Computer Security (ESORICS), September, 2016.

• BibTeX

  @inproceedings{LaszkaZhaoGrossklags16_BanishingMisalignedIncentivesForValidatingReportsInBugBounty,
      author = {Aron Laszka and Mingyi Zhao and Jens Grossklags},
      title = {Banishing Misaligned Incentives for Validating
                Reports in Bug-Bounty Platforms},
      booktitle = {21st European Symposium on Research in Computer
                Security (ESORICS)},
      month = {September},
      year = {2016},
      abstract = {Bug-bounty programs have the potential to harvest
                the efforts and diverse knowledge of thousands of
                white hat hackers. As a consequence, they are
                becoming increasingly popular as a key part of the
                security culture of organizations. However,
                bug-bounty programs can be riddled with myriads of
                invalid vulnerability-report submissions, which
                are partially the result of misaligned incentives
                between white hats and organizations. To further
                improve the effectiveness of bug-bounty programs,
                we introduce a theoretical model for evaluating
                approaches for reducing the number of invalid
                reports. We develop an economic framework and
                investigate the strengths and weaknesses of
                existing canonical approaches for effectively
                incentivizing higher validation efforts by white
                hats. Finally, we introduce a novel approach,
                which may improve effi- ciency by enabling
                different white hats to exert validation effort at
                their individually optimal levels. },
      URL = {http://cps-forces.org/pubs/251.html}
  }
  

Posted by Waseem Abbas on 2 Mar 2017.
Groups: forces
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.