Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Artificial Bugs for Crowdsearch

Hans Gersbach, Fikri Pitsuwan, Pio Blieske

TL;DR

Using a model of crowdsearch, it is identified the efficiency gains by artificial bugs, and it is shown that for this, it is sufficient to insert only one artificial bug.

Abstract

Bug bounty programs, where external agents are invited to search and report vulnerabilities (bugs) in exchange for rewards (bounty), have become a major tool for companies to improve their systems. We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. Using a model of crowdsearch, we identify the efficiency gains by artificial bugs, and we show that for this, it is sufficient to insert only one artificial bug. Artificial bugs are particularly beneficial, for instance, if the designer places high valuations on finding organic bugs or if the budget for bounty is not sufficiently high. We discuss how to implement artificial bugs and outline their further benefits.

Artificial Bugs for Crowdsearch

TL;DR

Using a model of crowdsearch, it is identified the efficiency gains by artificial bugs, and it is shown that for this, it is sufficient to insert only one artificial bug.

Abstract

Bug bounty programs, where external agents are invited to search and report vulnerabilities (bugs) in exchange for rewards (bounty), have become a major tool for companies to improve their systems. We suggest augmenting such programs by inserting artificial bugs to increase the incentives to search for real (organic) bugs. Using a model of crowdsearch, we identify the efficiency gains by artificial bugs, and we show that for this, it is sufficient to insert only one artificial bug. Artificial bugs are particularly beneficial, for instance, if the designer places high valuations on finding organic bugs or if the budget for bounty is not sufficiently high. We discuss how to implement artificial bugs and outline their further benefits.
Paper Structure (18 sections, 13 theorems, 36 equations, 5 figures)

This paper contains 18 sections, 13 theorems, 36 equations, 5 figures.

Table of Contents

  1. Introduction
  2. The Model
  3. Private Program
  4. Equilibrium Characterization
  5. Optimal Prizes and Number of Artificial Bugs
  6. Usefulness of Artificial Bugs
  7. Public Program
  8. Asymptotic Behavior
  9. Optimal Prizes
  10. Verification
  11. Usefulness of Artificial Bugs
  12. Numerical Examples
  13. Private Program
  14. Public Program
  15. Implementation
  16. ...and 3 more sections

Key Result

Lemma 3.1

If $\Psi(\underline{c}) \leq \underline{c}$, then $c^* = \underline{c}$. If $\Psi(\overline{c}) \geq \overline{c}$, then $c^* = \overline{c}$. Otherwise, the symmetric equilibrium threshold is $c^* = c^*(\boldsymbol{v},\boldsymbol{v}_a,\boldsymbol{q}_a)$ is the unique solution to

Figures (5)

  • Figure 1: Optimal $(v, v_a)$ given $q_a$
  • Figure 2: Dependence on $w$
  • Figure 3: Convergence of $W_n(\hat{c})$ as $n$ grows
  • Figure 4: Scaled version
  • Figure 5: Convergence of the sets $M_n$ to $M_\infty$

Theorems & Definitions (14)

  • Lemma 3.1
  • Lemma 3.2
  • Lemma 3.3
  • Lemma 3.4
  • Theorem 1
  • Theorem 2
  • Lemma 4.1
  • Corollary 1
  • Lemma 4.2
  • Theorem 3
  • ...and 4 more