Understanding the Heterogeneity of Contributors in Bug Bounty Programs

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.Comment: 6 pages, ESEM 201

Heartbleed's Impact

In early April, a major security flaw affecting perhaps 500,000 or more websites was announced and fixed. But the patch to the "secure socket" program that is supposed to encrypt and protect user information on secure websites was only made after more than two years of vulnerability on some of the most heavily trafficked sites, including Facebook, Google, YouTube, Yahoo and Wikipedia. Analysts warned that untold numbers of internet users might have had key personal information compromised either in their use of those websites, or their use of email, instant messaging, and even supposedly secure virtual personal networks. This report covers public response to the revelation of the security code flaw. It was conducted among 1,501 adults between April 23-27 on landline and cell phones and in English and Spanish. It has a margin of error of plus or minus 2.9 percentage points in the overall sample and 3.1 points among the internet users in the sample (N=1,303). The software bug was named "Heartbleed" and it was accidentally introduced to the OpenSSL encryption program on New Year's Eve 2011. OpenSSL is an open-source program that is used by many of the sites and email programs that have the "https" prefix and "green lock" icon in their URLs. Some security commentators called Heartbleed "catastrophic" and said it one of the worst vulnerabilities ever discovered on the web. The flaw basically allowed people to "break the lock" on sophisticated encryption software, get into the memory of security systems and gather up whatever personal information was there, including usernames, passwords, and the actual content of accounts such as credit card data or other sensitive personal information

Bug or Not? Bug Report Classification Using N-Gram IDF

Previous studies have found that a significant number of bug reports are misclassified between bugs and non-bugs, and that manually classifying bug reports is a time-consuming task. To address this problem, we propose a bug reports classification model with N-gram IDF, a theoretical extension of Inverse Document Frequency (IDF) for handling words and phrases of any length. N-gram IDF enables us to extract key terms of any length from texts, these key terms can be used as the features to classify bug reports. We build classification models with logistic regression and random forest using features from N-gram IDF and topic modeling, which is widely used in various software engineering tasks. With a publicly available dataset, our results show that our N-gram IDF-based models have a superior performance than the topic-based models on all of the evaluated cases. Our models show promising results and have a potential to be extended to other software engineering tasks.Comment: 5 pages, ICSME 201

Smaller, Closer, Dirtier: Diesel Backup Generators in California

Quantifies the threat to air quality and human health by backup generators, and examines air quality in Los Angeles, San Diego, Sacramento, and Fresno, with some analysis of San Francisco as well

Links between the personalities, styles and performance in computer programming

There are repetitive patterns in strategies of manipulating source code. For example, modifying source code before acquiring knowledge of how a code works is a depth-first style and reading and understanding before modifying source code is a breadth-first style. To the extent we know there is no study on the influence of personality on them. The objective of this study is to understand the influence of personality on programming styles. We did a correlational study with 65 programmers at the University of Stuttgart. Academic achievement, programming experience, attitude towards programming and five personality factors were measured via self-assessed survey. The programming styles were asked in the survey or mined from the software repositories. Performance in programming was composed of bug-proneness of programmers which was mined from software repositories, the grades they got in a software project course and their estimate of their own programming ability. We did statistical analysis and found that Openness to Experience has a positive association with breadth-first style and Conscientiousness has a positive association with depth-first style. We also found that in addition to having more programming experience and better academic achievement, the styles of working depth-first and saving coarse-grained revisions improve performance in programming.Comment: 27 pages, 6 figure