Team for Research in
Ubiquitous Secure Technology

Improved Support for Machine-Assisted Ballot-Level Audits
David Wagner

Citation
David Wagner. "Improved Support for Machine-Assisted Ballot-Level Audits". Talk or presentation, 10, October, 2013.

Abstract
We perform an empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities. The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identification of security vulnerabilities. The Firefox VRP has cost approximately $570,000 over the last 3 years and has yielded 190 bounties. 28% of Chrome’s patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox’s, are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers. The Chrome VRP features low expected payouts accompanied by high potential payouts, while the Firefox VRP features fixed payouts. Finding vulnerabilities for VRPs typically does not yield a salary comparable to a full-time job; the common case for recipients of rewards in either program is that they have received only one reward. Firefox has far more critical-severity vulnerabilities than Chrome, which we believe is attributable to an architectural difference between the two browsers.

Electronic downloads

Citation formats  
  • HTML
    David Wagner. <a
    href="http://www.truststc.org/pubs/928.html"
    ><i>Improved Support for Machine-Assisted
    Ballot-Level Audits</i></a>, Talk or
    presentation,  10, October, 2013.
  • Plain text
    David Wagner. "Improved Support for Machine-Assisted
    Ballot-Level Audits". Talk or presentation,  10,
    October, 2013.
  • BibTeX
    @presentation{Wagner13_ImprovedSupportForMachineAssistedBallotLevelAudits,
        author = {David Wagner},
        title = {Improved Support for Machine-Assisted Ballot-Level
                  Audits},
        day = {10},
        month = {October},
        year = {2013},
        abstract = {We perform an empirical study to better understand
                  two well-known vulnerability rewards programs, or
                  VRPs, which software vendors use to encourage
                  community participation in finding and responsibly
                  disclosing software vulnerabilities. The Chrome
                  VRP has cost approximately $580,000 over 3 years
                  and has resulted in 501 bounties paid for the
                  identification of security vulnerabilities. The
                  Firefox VRP has cost approximately $570,000 over
                  the last 3 years and has yielded 190 bounties. 28%
                  of Chrome’s patched vulnerabilities appearing in
                  security advisories over this period, and 24% of
                  Firefox’s, are the result of VRP contributions.
                  Both programs appear economically efficient,
                  comparing favorably to the cost of hiring
                  full-time security researchers. The Chrome VRP
                  features low expected payouts accompanied by high
                  potential payouts, while the Firefox VRP features
                  fixed payouts. Finding vulnerabilities for VRPs
                  typically does not yield a salary comparable to a
                  full-time job; the common case for recipients of
                  rewards in either program is that they have
                  received only one reward. Firefox has far more
                  critical-severity vulnerabilities than Chrome,
                  which we believe is attributable to an
                  architectural difference between the two browsers.},
        URL = {http://www.truststc.org/pubs/928.html}
    }
    

Posted by Carolyn Winter on 18 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.