TY - GEN
T1 - Banishing misaligned incentives for validating reports in bug-bounty platforms
AU - Laszka, Aron
AU - Zhao, Mingyi
AU - Grossklags, Jens
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between white hats and organizations. To further improve the effectiveness of bug-bounty programs, we introduce a theoretical model for evaluating approaches for reducing the number of invalid reports. We develop an economic framework and investigate the strengths and weaknesses of existing canonical approaches for effectively incentivizing higher validation efforts by white hats. Finally, we introduce a novel approach, which may improve efficiency by enabling different white hats to exert validation effort at their individually optimal levels.
AB - Bug-bounty programs have the potential to harvest the efforts and diverse knowledge of thousands of white hat hackers. As a consequence, they are becoming increasingly popular as a key part of the security culture of organizations. However, bug-bounty programs can be riddled with myriads of invalid vulnerability-report submissions, which are partially the result of misaligned incentives between white hats and organizations. To further improve the effectiveness of bug-bounty programs, we introduce a theoretical model for evaluating approaches for reducing the number of invalid reports. We develop an economic framework and investigate the strengths and weaknesses of existing canonical approaches for effectively incentivizing higher validation efforts by white hats. Finally, we introduce a novel approach, which may improve efficiency by enabling different white hats to exert validation effort at their individually optimal levels.
UR - http://www.scopus.com/inward/record.url?scp=84990848058&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84990848058&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-45741-3_9
DO - 10.1007/978-3-319-45741-3_9
M3 - Conference contribution
AN - SCOPUS:84990848058
SN - 9783319457406
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 161
EP - 178
BT - Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings
A2 - Katsikas, Sokratis
A2 - Meadows, Catherine
A2 - Askoxylakis, Ioannis
A2 - Ioannidis, Sotiris
PB - Springer Verlag
T2 - 21st European Symposium on Research in Computer Security, ESORICS 2016
Y2 - 26 September 2016 through 30 September 2016
ER -