Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Artificial Bugs for Crowdsearch (2403.09484v1)

Published 14 Mar 2024 in econ.TH and cs.CR

Abstract: Bug bounty programs, where external agents are invited to search and report vulnerabilities (bugs) in exchange for rewards (bounty), have become a major tool for companies to improve their systems. We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. Using a model of crowdsearch, we identify the efficiency gains by artificial bugs, and we show that for this, it is sufficient to insert only one artificial bug. Artificial bugs are particularly beneficial, for instance, if the designer places high valuations on finding organic bugs or if the budget for bounty is not sufficiently high. We discuss how to implement artificial bugs and outline their further benefits.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (19)
  1. Bug Hunters’ perspectives on the challenges and benefits of the bug bounty ecosystem. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2275–2291, Anaheim, CA. USENIX Association.
  2. Böhme, R. (2006). A Comparison of Market Approaches to Software Vulnerability Disclosure. In Müller, G., editor, Emerging Trends in Information and Communication Security, Lecture Notes in Computer Science, pages 298–311, Berlin. Springer.
  3. Responsible Vulnerability Disclosure in Cryptocurrencies. Communications of the ACM, 63(10):62–71.
  4. Public Randomness and Randomness Beacons. https://a16zcrypto.com/posts/article/public-randomness-and-randomness-beacons/.
  5. Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts. In 27th USENIX Security Symposium (USENIX Security 18), pages 1335–1352, Baltimore, MD. USENIX Association.
  6. Cheesecloth: Zero-Knowledge proofs of real world vulnerabilities. In 32nd USENIX Security Symposium (USENIX Security 23), pages 6525–6540, Anaheim, CA. USENIX Association.
  7. Do you need a zero knowledge proof? Cryptology ePrint Archive, Paper 2024/050. https://eprint.iacr.org/2024/050.
  8. Federal Department of Finance of Switzerland (2022). Federal administration procures platform for bug bounty programmes [Press release]. https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-89868.html.
  9. Crowdsearch. CEPR Discussion Paper No. 18529.
  10. Goldreich, O. (2001). Foundations of Cryptography. Cambridge University Press.
  11. Efficient Proofs of Software Exploitability for Real-world Processors. In Proceedings on Privacy Enhancing Technologies, pages 627–640.
  12. The Rules of Engagement for Bug Bounty Programs. In Meiklejohn, S. and Sako, K., editors, Financial Cryptography and Data Security, Lecture Notes in Computer Science, pages 138–159, Berlin, Heidelberg. Springer.
  13. Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs. Journal of Cybersecurity, 3(2):81–90.
  14. Bug Bounty Programs for Cybersecurity: Practices, Issues, and Recommendations. IEEE Software, 37(1):31–39.
  15. Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties. Journal of Cybersecurity, 7(1):1–9.
  16. Stallings, W. (2020). Cryptography and Network Security: Principles and Practice. Pearson, 8th edition.
  17. An Empirical Study of Bug Bounty Programs. In 2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF), pages 35–44.
  18. Devising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery. Journal of Information Policy, 7:372–418.
  19. The Simple Economics of an External Shock on a Crowdsourced ‘Bug Bounty Platform’. Available at SSRN: https://ssrn.com/abstract=4154516.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now