Abstract
We study a cost sharing problem derived from bug bounty programs, where agents gain utility by the amount of time they get to enjoy the cost shared information. Once the information is provided to an agent, it cannot be retracted. The goal, instead of maximizing revenue, is to pick a time as early as possible, so that enough agents are willing to cost share the information and enjoy it for a premium time period, while other agents wait and enjoy the information for free after a certain amount of release delay. We design a series of mechanisms with the goal of minimizing the maximum delay and the total delay. Under prior-free settings, our final mechanism achieves a competitive ratio of 4 in terms of maximum delay, against an undominated mechanism. Finally, we assume some distributions of the agents’ valuations, and investigate our mechanism’s performance in terms of expected delays.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For randomized mechanisms, the allocation times and payments are the expected values over the random bits.
- 2.
For randomized mechanisms, we require that for all realizations of the random bits, the constraint holds.
- 3.
Tie-breaking detail: given a type profile, if under A, the bug is not sold (max delay is 1), and under B, the bug is sold (the max delay happens to be also 1), then we interpret that the max delay under A is not at most that under B.
- 4.
The claim remains true if we switch to Sum-Delay-Dominance.
- 5.
That is, we fixed the strategy-proofness issue at the cost of longer delays, but it is within a constant factor.
- 6.
It is without loss of generality to assume that the optimal mechanism does not treat the agents differently based on their identities. Given a non-anonymous mechanism, we can trivially create an “average” version of it over all permutations of the identities [7]. The resulting mechanism is anonymous and has the same Max-Delay and Sum-Delay.
References
Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Inf. Sci. Eng. 8(3), 482–484 (2014)
Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Manage. Sci. 54(4), 642–656 (2008)
Böhme, R.: A comparison of market approaches to software vulnerability disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006). https://doi.org/10.1007/11766155_21
Canfield, C., Catota, F., Rajkarnikar, N.: A national cyber bug broker: retrofitting transparency (2015). https://www.andrew.cmu.edu/user/ccanfiel/National-Cyber-Bug-Broker_final.pdf
Guo, M., Hata, H., Babar, A.: Revenue maximizing markets for zero-day exploits. In: Baldoni, M., Chopra, A.K., Son, T.C., Hirayama, K., Torroni, P. (eds.) PRIMA 2016. LNCS (LNAI), vol. 9862, pp. 247–260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44832-9_15
Guo, M., Hata, H., Babar, A.: Optimizing affine maximizer auctions via linear programming: an application to revenue maximizing mechanism design for zero-day exploits markets. In: An, B., Bazzan, A., Leite, J., Villata, S., van der Torre, L. (eds.) PRIMA 2017. LNCS (LNAI), vol. 10621, pp. 280–292. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69131-2_17
Guo, M., Markakis, E., Apt, K.R., Conitzer, V.: Undominated groves mechanisms. J. Artif. Intell. Res. 46, 129–163 (2013)
Howard, R.: Cyber Fraud: Tactics, Techniques and Procedures. CRC Press, Boca Raton (2009)
Kannan, K., Telang, R.: Market for software vulnerabilities? Think again. Manage. Sci. 51(5), 726–740 (2005)
Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? Revisiting eric raymond with bug bounty programs. J. Cybersecur. 3(2), 81–90 (2017)
Miller, C.: The legitimate vulnerability market: inside the secretive world of 0-day exploit sales. In: Sixth Workshop on the Economics of Information Security (2007)
Myerson, R.B.: Optimal auction design. Math. Oper. Res. 6(1), 58–73 (1981)
Nizovtsev, D., Thursby, M.: To disclose or not? An analysis of software user behavior. Inf. Econ. Policy 19(1), 43–64 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Guo, M., Yang, Y., Ali Babar, M. (2018). Cost Sharing Security Information with Minimal Release Delay. In: Miller, T., Oren, N., Sakurai, Y., Noda, I., Savarimuthu, B.T.R., Cao Son, T. (eds) PRIMA 2018: Principles and Practice of Multi-Agent Systems. PRIMA 2018. Lecture Notes in Computer Science(), vol 11224. Springer, Cham. https://doi.org/10.1007/978-3-030-03098-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-03098-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03097-1
Online ISBN: 978-3-030-03098-8
eBook Packages: Computer ScienceComputer Science (R0)