Understanding the Heterogeneity of Contributors in Bug Bounty Programs

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.

[1]  Hideaki Hata,et al.  Analysis of Donations in the Eclipse Project , 2017, 2017 8th International Workshop on Empirical Software Engineering in Practice (IWESEP).

[2]  Ken-ichi Matsumoto,et al.  Towards understanding an open-source bounty: Analysis of Bountysource , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[3]  Hamid Reza Shahriari,et al.  Seven Years of Software Vulnerabilities: The Ebb and Flow , 2017, IEEE Security & Privacy.

[4]  Andrew Meneely,et al.  Vulnerability severity scoring and bounties: why the disconnect? , 2016, SWAN@SIGSOFT FSE.

[5]  Christoph Treude,et al.  Who is Who in the Mailing List? Comparing Six Disambiguation Heuristics to Identify Multiple Addresses of a Participant , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[6]  André van der Hoek,et al.  Crowdsourcing in Software Engineering: Models, Motivations, and Challenges , 2016, IEEE Software.

[7]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[8]  Sohan Seth,et al.  Probabilistic archetypal analysis , 2013, Machine Learning.

[9]  Bogdan Vasilescu,et al.  Developer initiation and social interactions in OSS: A case study of the Apache Software Foundation , 2015, Empirical Software Engineering.

[10]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[11]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[12]  Manuel J. A. Eugster,et al.  From Spider-man to Hero - archetypal analysis in R , 2009 .

[13]  Giancarlo Ragozini,et al.  On the use of archetypes as benchmarks , 2008 .

[14]  Mark Aberdour A people-focused , 2022 .

[15]  Giancarlo Ragozini,et al.  ARCHETYPAL ANALYSIS FOR INTERVAL DATA IN MARKETING RESEARCH 1 , 2006 .

[16]  Kouichi Kishida,et al.  Toward an understanding of the motivation of open source software developers , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[17]  Kouichi Kishida,et al.  Evolution patterns of open-source software systems and communities , 2002, IWPSE '02.