{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,27]],"date-time":"2026-04-27T21:42:31Z","timestamp":1777326151275,"version":"3.51.4"},"publisher-location":"Berlin, Heidelberg","reference-count":26,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783662583869","type":"print"},{"value":"9783662583876","type":"electronic"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-662-58387-6_8","type":"book-chapter","created":{"date-parts":[[2019,8,29]],"date-time":"2019-08-29T15:03:39Z","timestamp":1567091019000},"page":"138-159","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["The Rules of Engagement for Bug Bounty Programs"],"prefix":"10.1007","author":[{"given":"Aron","family":"Laszka","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mingyi","family":"Zhao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Akash","family":"Malbari","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jens","family":"Grossklags","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2018,12,7]]},"reference":[{"issue":"3","key":"8_CR1","first-page":"71","volume":"8","author":"A Algarni","year":"2014","unstructured":"Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Inf. Sci. Eng. 8(3), 71\u201381 (2014)","journal-title":"Int. J. Comput. Inf. Sci. Eng."},{"key":"8_CR2","doi-asserted-by":"crossref","unstructured":"Bacon, D., Chen, Y., Parkes, D., Rao, M.: A market-based approach to software evolution. In: 24th ACM SIGPLAN Conference Companion on Object Oriented Programming, Systems, Languages, and Applications (2009)","DOI":"10.1145\/1639950.1640066"},{"key":"8_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"298","DOI":"10.1007\/11766155_21","volume-title":"Emerging Trends in Information and Communication Security","author":"R B\u00f6hme","year":"2006","unstructured":"B\u00f6hme, R.: A comparison of market approaches to software vulnerability disclosure. In: M\u00fcller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298\u2013311. Springer, Heidelberg (2006). \n                      https:\/\/doi.org\/10.1007\/11766155_21"},{"key":"8_CR4","doi-asserted-by":"crossref","unstructured":"Bozorgi, M., Saul, L., Savage, S., Voelker, G.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 105\u2013114 (2010)","DOI":"10.1145\/1835804.1835821"},{"key":"8_CR5","unstructured":"Bugcrowd: The state of Bug Bounty, July 2015"},{"key":"8_CR6","unstructured":"Bugcrowd: The state of Bug Bounty, June 2016"},{"key":"8_CR7","doi-asserted-by":"crossref","unstructured":"Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), pp. 251\u2013260 (2010)","DOI":"10.1145\/1920261.1920299"},{"key":"8_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1007\/978-3-642-36563-8_14","volume-title":"Engineering Secure Software and Systems","author":"A Edmundson","year":"2013","unstructured":"Edmundson, A., Holtkamp, B., Rivera, E., Finifter, M., Mettler, A., Wagner, D.: An empirical study on the effectiveness of security code review. In: J\u00fcrjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 197\u2013212. Springer, Heidelberg (2013). \n                      https:\/\/doi.org\/10.1007\/978-3-642-36563-8_14"},{"key":"8_CR9","unstructured":"Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: USENIX Security Symposium (2013)"},{"issue":"32","key":"8_CR10","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1037\/h0057532","volume":"1948","author":"R Flesch","year":"1948","unstructured":"Flesch, R.: A new readability yardstick. J. Appl. Psychol. 1948(32), 221\u2013233 (1948)","journal-title":"J. Appl. Psychol."},{"key":"8_CR11","unstructured":"Huang, K., Siegel, M., Madnick, S., Li, X., Feng, Z.: Poster: diversity or concentration? Hackers\u2019 strategy for working across multiple bug bounty programs. In: 37th IEEE Symposium on Security and Privacy (S&P) (2016)"},{"key":"8_CR12","doi-asserted-by":"crossref","unstructured":"Kuehn, A., Mueller, M.: Analyzing bug bounty programs: an institutional perspective on the economics of software vulnerabilities. In: TPRC Conference Paper (2014)","DOI":"10.2139\/ssrn.2418812"},{"key":"8_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1007\/978-3-319-45741-3_9","volume-title":"Computer Security \u2013 ESORICS 2016","author":"A Laszka","year":"2016","unstructured":"Laszka, A., Zhao, M., Grossklags, J.: Banishing misaligned incentives for validating reports in bug-bounty platforms. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 161\u2013178. Springer, Cham (2016). \n                      https:\/\/doi.org\/10.1007\/978-3-319-45741-3_9"},{"key":"8_CR14","doi-asserted-by":"publisher","first-page":"372","DOI":"10.5325\/jinfopoli.7.2017.0372","volume":"7","author":"A Laszka","year":"2017","unstructured":"Laszka, A., Zhao, M., Grossklags, J.: Devising effective economic policies for bug-bounty platforms and security vulnerability discovery. J. Inf. Policy 7, 372\u2013418 (2017)","journal-title":"J. Inf. Policy"},{"key":"8_CR15","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1093\/cybsec\/tyx008","volume":"3","author":"T Maillart","year":"2017","unstructured":"Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty markets. J. Cybersecur. 3, 81\u201390 (2017)","journal-title":"J. Cybersecur."},{"issue":"8","key":"8_CR16","first-page":"639","volume":"12","author":"H Mc Laughlin","year":"1969","unstructured":"Mc Laughlin, H.: SMOG grading - a new readability formula. J. Reading 12(8), 639\u2013646 (1969)","journal-title":"J. Reading"},{"key":"8_CR17","unstructured":"Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on the Economics of Information Security (WEIS) (2005)"},{"key":"8_CR18","unstructured":"Ozment, A., Schechter, S.: Milk or wine: does software security improve with age? In: USENIX Security Symposium (2006)"},{"issue":"1","key":"8_CR19","doi-asserted-by":"publisher","first-page":"43","DOI":"10.2307\/41410405","volume":"36","author":"S Ransbotham","year":"2012","unstructured":"Ransbotham, S., Mitra, S., Ramsey, J.: Are markets for vulnerabilities effective? MIS Q. 36(1), 43\u201364 (2012)","journal-title":"MIS Q."},{"issue":"7","key":"8_CR20","first-page":"46","volume":"13","author":"J Ratcliff","year":"1988","unstructured":"Ratcliff, J., Metzener, D.: Pattern-matching: the gestalt approach. Dr Dobbs J. 13(7), 46 (1988)","journal-title":"Dr Dobbs J."},{"issue":"1","key":"8_CR21","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1109\/MSP.2005.17","volume":"3","author":"E Rescorla","year":"2005","unstructured":"Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3(1), 14\u201319 (2005)","journal-title":"IEEE Secur. Priv."},{"key":"8_CR22","unstructured":"Senter, R., Smith, E.: Automated readability index. Technical report, DTIC document (1967)"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Shahzad, M., Shafiq, M., Liu, A.: A large scale exploratory analysis of software vulnerability life cycles. In: International Conference on Software Engineering (2012)","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"8_CR24","doi-asserted-by":"crossref","unstructured":"Zhao, M., Grossklags, J., Chen, K.: An exploratory study of white hat behaviors in a web vulnerability disclosure program. In: 2014 ACM CCS Workshop on Security Information Workers (2014)","DOI":"10.1145\/2663887.2663906"},{"key":"8_CR25","doi-asserted-by":"crossref","unstructured":"Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS) (2015)","DOI":"10.1145\/2810103.2813704"},{"key":"8_CR26","unstructured":"Zhao, M., Laszka, A., Maillart, T., Grossklags, J.: Crowdsourced security vulnerability discovery: modeling and organizing bug-bounty programs. In: HCOMP Workshop on Mathematical Foundations of Human Computation (2016)"}],"container-title":["Lecture Notes in Computer Science","Financial Cryptography and Data Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-662-58387-6_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,8,29]],"date-time":"2019-08-29T15:04:53Z","timestamp":1567091093000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-662-58387-6_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783662583869","9783662583876"],"references-count":26,"URL":"https:\/\/doi.org\/10.1007\/978-3-662-58387-6_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"7 December 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"FC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Financial Cryptography and Data Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Nieuwpoort","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Cura\u00e7ao","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 February 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2 March 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"fc2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/fc18.ifca.ai\/index.html","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"HotCRP","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"110","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"27","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"25% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3,27","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3,27","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}