Cost Sharing Security Information with Minimal Release Delay
We study a cost sharing problem derived from bug bounty programs, where agents gain utility by the amount of time they get to enjoy the cost shared information. Once the information is provided to an agent, it cannot be retracted. The goal, instead of maximizing revenue, is to pick a time as early as possible, so that enough agents are willing to cost share the information and enjoy it for a premium time period, while other agents wait and enjoy the information for free after a certain amount of release delay. We design a series of mechanisms with the goal of minimizing the maximum delay and the total delay. Under prior-free settings, our final mechanism achieves a competitive ratio of 4 in terms of maximum delay, against an undominated mechanism. Finally, we assume some distributions of the agents’ valuations, and investigate our mechanism’s performance in terms of expected delays.
KeywordsMechanism design Cost sharing Bug bounty
- 1.Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Inf. Sci. Eng. 8(3), 482–484 (2014)Google Scholar
- 4.Canfield, C., Catota, F., Rajkarnikar, N.: A national cyber bug broker: retrofitting transparency (2015). https://www.andrew.cmu.edu/user/ccanfiel/National-Cyber-Bug-Broker_final.pdf
- 6.Guo, M., Hata, H., Babar, A.: Optimizing affine maximizer auctions via linear programming: an application to revenue maximizing mechanism design for zero-day exploits markets. In: An, B., Bazzan, A., Leite, J., Villata, S., van der Torre, L. (eds.) PRIMA 2017. LNCS (LNAI), vol. 10621, pp. 280–292. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69131-2_17CrossRefGoogle Scholar
- 11.Miller, C.: The legitimate vulnerability market: inside the secretive world of 0-day exploit sales. In: Sixth Workshop on the Economics of Information Security (2007)Google Scholar