54,125 research outputs found
Understanding the Heterogeneity of Contributors in Bug Bounty Programs
Background: While bug bounty programs are not new in software development, an
increasing number of companies, as well as open source projects, rely on
external parties to perform the security assessment of their software for
reward. However, there is relatively little empirical knowledge about the
characteristics of bug bounty program contributors. Aim: This paper aims to
understand those contributors by highlighting the heterogeneity among them.
Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct
bug bounty contributors, and conducted a quantitative and qualitative survey.
Results: We found that there are project-specific and non-specific contributors
who have different motivations for contributing to the products and
organizations. Conclusions: Our findings provide insights to make bug bounty
programs better and for further studies of new software development roles.Comment: 6 pages, ESEM 201
Heartbleed's Impact
In early April, a major security flaw affecting perhaps 500,000 or more websites was announced and fixed. But the patch to the "secure socket" program that is supposed to encrypt and protect user information on secure websites was only made after more than two years of vulnerability on some of the most heavily trafficked sites, including Facebook, Google, YouTube, Yahoo and Wikipedia. Analysts warned that untold numbers of internet users might have had key personal information compromised either in their use of those websites, or their use of email, instant messaging, and even supposedly secure virtual personal networks. This report covers public response to the revelation of the security code flaw. It was conducted among 1,501 adults between April 23-27 on landline and cell phones and in English and Spanish. It has a margin of error of plus or minus 2.9 percentage points in the overall sample and 3.1 points among the internet users in the sample (N=1,303). The software bug was named "Heartbleed" and it was accidentally introduced to the OpenSSL encryption program on New Year's Eve 2011. OpenSSL is an open-source program that is used by many of the sites and email programs that have the "https" prefix and "green lock" icon in their URLs. Some security commentators called Heartbleed "catastrophic" and said it one of the worst vulnerabilities ever discovered on the web. The flaw basically allowed people to "break the lock" on sophisticated encryption software, get into the memory of security systems and gather up whatever personal information was there, including usernames, passwords, and the actual content of accounts such as credit card data or other sensitive personal information
Bug or Not? Bug Report Classification Using N-Gram IDF
Previous studies have found that a significant number of bug reports are
misclassified between bugs and non-bugs, and that manually classifying bug
reports is a time-consuming task. To address this problem, we propose a bug
reports classification model with N-gram IDF, a theoretical extension of
Inverse Document Frequency (IDF) for handling words and phrases of any length.
N-gram IDF enables us to extract key terms of any length from texts, these key
terms can be used as the features to classify bug reports. We build
classification models with logistic regression and random forest using features
from N-gram IDF and topic modeling, which is widely used in various software
engineering tasks. With a publicly available dataset, our results show that our
N-gram IDF-based models have a superior performance than the topic-based models
on all of the evaluated cases. Our models show promising results and have a
potential to be extended to other software engineering tasks.Comment: 5 pages, ICSME 201
Smaller, Closer, Dirtier: Diesel Backup Generators in California
Quantifies the threat to air quality and human health by backup generators, and examines air quality in Los Angeles, San Diego, Sacramento, and Fresno, with some analysis of San Francisco as well
Links between the personalities, styles and performance in computer programming
There are repetitive patterns in strategies of manipulating source code. For
example, modifying source code before acquiring knowledge of how a code works
is a depth-first style and reading and understanding before modifying source
code is a breadth-first style. To the extent we know there is no study on the
influence of personality on them. The objective of this study is to understand
the influence of personality on programming styles. We did a correlational
study with 65 programmers at the University of Stuttgart. Academic achievement,
programming experience, attitude towards programming and five personality
factors were measured via self-assessed survey. The programming styles were
asked in the survey or mined from the software repositories. Performance in
programming was composed of bug-proneness of programmers which was mined from
software repositories, the grades they got in a software project course and
their estimate of their own programming ability. We did statistical analysis
and found that Openness to Experience has a positive association with
breadth-first style and Conscientiousness has a positive association with
depth-first style. We also found that in addition to having more programming
experience and better academic achievement, the styles of working depth-first
and saving coarse-grained revisions improve performance in programming.Comment: 27 pages, 6 figure
- …