Understanding the Heterogeneity of Contributors in Bug Bounty Programs

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.Comment: 6 pages, ESEM 201

Undominated Groves Mechanisms

The family of Groves mechanisms, which includes the well-known VCG mechanism (also known as the Clarke mechanism), is a family of efficient and strategy-proof mechanisms. Unfortunately, the Groves mechanisms are generally not budget balanced. That is, under such mechanisms, payments may flow into or out of the system of the agents, resulting in deficits or reduced utilities for the agents. We consider the following problem: within the family of Groves mechanisms, we want to identify mechanisms that give the agents the highest utilities, under the constraint that these mechanisms must never incur deficits. We adopt a prior-free approach. We introduce two general measures for comparing mechanisms in prior-free settings. We say that a non-deficit Groves mechanism $M$ {\em individually dominates} another non-deficit Groves mechanism $M'$ if for every type profile, every agent's utility under $M$ is no less than that under $M'$, and this holds with strict inequality for at least one type profile and one agent. We say that a non-deficit Groves mechanism $M$ {\em collectively dominates} another non-deficit Groves mechanism $M'$ if for every type profile, the agents' total utility under $M$ is no less than that under $M'$, and this holds with strict inequality for at least one type profile. The above definitions induce two partial orders on non-deficit Groves mechanisms. We study the maximal elements corresponding to these two partial orders, which we call the {\em individually undominated} mechanisms and the {\em collectively undominated} mechanisms, respectively.Comment: 34 pages. To appear in Journal of AI Research (JAIR

Optimal-in-expectation redistribution mechanisms

AbstractMany important problems in multiagent systems involve the allocation of multiple resources among the agents. If agents are self-interested, they will lie about their valuations for the resources if they perceive this to be in their interest. The well-known VCG mechanism allocates the items efficiently, is strategy-proof (agents have no incentive to lie), and never runs a deficit. Nevertheless, the agents may have to make large payments to a party outside the system of agents, leading to decreased utility for the agents. Recent work has investigated the possibility of redistributing some of the payments back to the agents, without violating the other desirable properties of the VCG mechanism.Previous research on redistribution mechanisms has resulted in a worst-case optimal redistribution mechanism, that is, a mechanism that maximizes the fraction of VCG payments redistributed in the worst case. In contrast, in this paper, we assume that a prior distribution over the agents' valuations is available, and our goal is to maximize the expected total redistribution.In the first part of this paper, we study multi-unit auctions with unit demand. We analytically solve for a mechanism that is optimal among linear redistribution mechanisms. We also propose discretized redistribution mechanisms. We show how to automatically solve for the optimal discretized redistribution mechanism for a given discretization step size, and show that the resulting mechanisms converge to optimality as the step size goes to zero. We present experimental results showing that for auctions with many bidders, the optimal linear redistribution mechanism redistributes almost everything, whereas for auctions with few bidders, we can solve for the optimal discretized redistribution mechanism with a very small step size.In the second part of this paper, we study multi-unit auctions with nonincreasing marginal values. We extend the notion of linear redistribution mechanisms, previously defined only in the unit demand setting, to this more general setting. We introduce a linear program for finding the optimal linear redistribution mechanism. This linear program is unwieldy, so we also introduce one simplified linear program that produces relatively good linear redistribution mechanisms. We conjecture an analytical solution for the simplified linear program