Cost Sharing Security Information with Minimal Release Delay

  • Mingyu GuoEmail author
  • Yong Yang
  • Muhammad Ali Babar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11224)


We study a cost sharing problem derived from bug bounty programs, where agents gain utility by the amount of time they get to enjoy the cost shared information. Once the information is provided to an agent, it cannot be retracted. The goal, instead of maximizing revenue, is to pick a time as early as possible, so that enough agents are willing to cost share the information and enjoy it for a premium time period, while other agents wait and enjoy the information for free after a certain amount of release delay. We design a series of mechanisms with the goal of minimizing the maximum delay and the total delay. Under prior-free settings, our final mechanism achieves a competitive ratio of 4 in terms of maximum delay, against an undominated mechanism. Finally, we assume some distributions of the agents’ valuations, and investigate our mechanism’s performance in terms of expected delays.


Mechanism design Cost sharing Bug bounty 


  1. 1.
    Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Inf. Sci. Eng. 8(3), 482–484 (2014)Google Scholar
  2. 2.
    Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Manage. Sci. 54(4), 642–656 (2008)CrossRefGoogle Scholar
  3. 3.
    Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006). Scholar
  4. 4.
    Canfield, C., Catota, F., Rajkarnikar, N.: A national cyber bug broker: retrofitting transparency (2015).
  5. 5.
    Guo, M., Hata, H., Babar, A.: Revenue maximizing markets for zero-day exploits. In: Baldoni, M., Chopra, A.K., Son, T.C., Hirayama, K., Torroni, P. (eds.) PRIMA 2016. LNCS (LNAI), vol. 9862, pp. 247–260. Springer, Cham (2016). Scholar
  6. 6.
    Guo, M., Hata, H., Babar, A.: Optimizing affine maximizer auctions via linear programming: an application to revenue maximizing mechanism design for zero-day exploits markets. In: An, B., Bazzan, A., Leite, J., Villata, S., van der Torre, L. (eds.) PRIMA 2017. LNCS (LNAI), vol. 10621, pp. 280–292. Springer, Cham (2017). Scholar
  7. 7.
    Guo, M., Markakis, E., Apt, K.R., Conitzer, V.: Undominated groves mechanisms. J. Artif. Intell. Res. 46, 129–163 (2013)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Howard, R.: Cyber Fraud: Tactics, Techniques and Procedures. CRC Press, Boca Raton (2009)CrossRefGoogle Scholar
  9. 9.
    Kannan, K., Telang, R.: Market for software vulnerabilities? Think again. Manage. Sci. 51(5), 726–740 (2005)CrossRefGoogle Scholar
  10. 10.
    Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? Revisiting eric raymond with bug bounty programs. J. Cybersecur. 3(2), 81–90 (2017)CrossRefGoogle Scholar
  11. 11.
    Miller, C.: The legitimate vulnerability market: inside the secretive world of 0-day exploit sales. In: Sixth Workshop on the Economics of Information Security (2007)Google Scholar
  12. 12.
    Myerson, R.B.: Optimal auction design. Math. Oper. Res. 6(1), 58–73 (1981)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Nizovtsev, D., Thursby, M.: To disclose or not? An analysis of software user behavior. Inf. Econ. Policy 19(1), 43–64 (2007)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.The University of AdelaideAdelaideAustralia

Personalised recommendations