The Cathedral and the Bazaar
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Review: A systematic review of software fault prediction studies
Expert Systems with Applications: An International Journal
Exploring the relationship betweenweb application development tools and security
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques
ESEM '11 Proceedings of the 2011 International Symposium on Empirical Software Engineering and Measurement
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
An empirical study on the effectiveness of security code review
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Markets for zero-day exploits: ethics and implications
Proceedings of the 2013 workshop on New security paradigms workshop
| Hi-index | 0.00 |
We perform an empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities. The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identification of security vulnerabilities. The Firefox VRP has cost approximately $570,000 over the last 3 years and has yielded 190 bounties. 28% of Chrome's patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox's, are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers. The Chrome VRP features low expected payouts accompanied by high potential payouts, while the Firefox VRP features fixed payouts. Finding vulnerabilities for VRPs typically does not yield a salary comparable to a full-time job; the common case for recipients of rewards in either program is that they have received only one reward. Firefox has far more critical-severity vulnerabilities than Chrome, which we believe is attributable to an architectural difference between the two browsers.