Team for Research in
Ubiquitous Secure Technology

Citation
David Wagner. "Improved Support for Machine-Assisted Ballot-Level Audits". Talk or presentation, 10, October, 2013.

Abstract
We perform an empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities. The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identification of security vulnerabilities. The Firefox VRP has cost approximately $570,000 over the last 3 years and has yielded 190 bounties. 28% of Chrome’s patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox’s, are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers. The Chrome VRP features low expected payouts accompanied by high potential payouts, while the Firefox VRP features fixed payouts. Finding vulnerabilities for VRPs typically does not yield a salary comparable to a full-time job; the common case for recipients of rewards in either program is that they have received only one reward. Firefox has far more critical-severity vulnerabilities than Chrome, which we believe is attributable to an architectural difference between the two browsers.

Electronic downloads

• Wagner_opencount_2013_10_TRUST.pdf · application/pdf · 6574 kbytes

• HTML

  David Wagner. <a
  href="http://www.truststc.org/pubs/928.html"
  ><i>Improved Support for Machine-Assisted
  Ballot-Level Audits</i></a>, Talk or
  presentation,  10, October, 2013.

• Plain text

  David Wagner. "Improved Support for Machine-Assisted
  Ballot-Level Audits". Talk or presentation,  10,
  October, 2013.

• BibTeX

  @presentation{Wagner13_ImprovedSupportForMachineAssistedBallotLevelAudits,
      author = {David Wagner},
      title = {Improved Support for Machine-Assisted Ballot-Level
                Audits},
      day = {10},
      month = {October},
      year = {2013},
      abstract = {We perform an empirical study to better understand
                two well-known vulnerability rewards programs, or
                VRPs, which software vendors use to encourage
                community participation in finding and responsibly
                disclosing software vulnerabilities. The Chrome
                VRP has cost approximately $580,000 over 3 years
                and has resulted in 501 bounties paid for the
                identification of security vulnerabilities. The
                Firefox VRP has cost approximately $570,000 over
                the last 3 years and has yielded 190 bounties. 28%
                of Chrome’s patched vulnerabilities appearing in
                security advisories over this period, and 24% of
                Firefox’s, are the result of VRP contributions.
                Both programs appear economically efficient,
                comparing favorably to the cost of hiring
                full-time security researchers. The Chrome VRP
                features low expected payouts accompanied by high
                potential payouts, while the Firefox VRP features
                fixed payouts. Finding vulnerabilities for VRPs
                typically does not yield a salary comparable to a
                full-time job; the common case for recipients of
                rewards in either program is that they have
                received only one reward. Firefox has far more
                critical-severity vulnerabilities than Chrome,
                which we believe is attributable to an
                architectural difference between the two browsers.},
      URL = {http://www.truststc.org/pubs/928.html}
  }
  

Posted by Carolyn Winter on 18 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.