Banishing misaligned incentives for validating reports in bug-bounty platforms

Aron Laszka, Mingyi Zhao, Jens Grossklags

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Scopus citations

Abstract

Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between white hats and organizations. To further improve the effectiveness of bug-bounty programs, we introduce a theoretical model for evaluating approaches for reducing the number of invalid reports. We develop an economic framework and investigate the strengths and weaknesses of existing canonical approaches for effectively incentivizing higher validation efforts by white hats. Finally, we introduce a novel approach, which may improve efficiency by enabling different white hats to exert validation effort at their individually optimal levels.

Original languageEnglish (US)
Title of host publicationComputer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings
EditorsSokratis Katsikas, Catherine Meadows, Ioannis Askoxylakis, Sotiris Ioannidis
PublisherSpringer Verlag
Pages161-178
Number of pages18
ISBN (Print)9783319457406
DOIs
StatePublished - 2016
Event21st European Symposium on Research in Computer Security, ESORICS 2016 - Heraklion, Greece
Duration: Sep 26 2016Sep 30 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9879 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other21st European Symposium on Research in Computer Security, ESORICS 2016
Country/TerritoryGreece
CityHeraklion
Period9/26/169/30/16

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Banishing misaligned incentives for validating reports in bug-bounty platforms'. Together they form a unique fingerprint.

Cite this