Mingyu Guo

Redistribution of VCG payments in public project problems

Redistribution of VCG payments has been mostly studied in the context of resource allocation. This paper focuses on another fundamental model--the public project problem. In this scenario, the VCG mechanism collects in payments up to

Revenue Maximizing Markets for Zero-Day Exploits

\frac{n-1}{n}

Towards understanding an open-source bounty: Analysis of Bountysource

of the total value of the agents. This collected revenue represents a loss of social welfare. Given this, we study how to redistribute most of the VCG revenue back to the agents. Our first result is a bound on the best possible efficiency ratio, which we conjecture to be tight based on numerical simulations. Furthermore, the upper bound is confirmed on the case with 3 agents, for which we derive an optimal redistribution function. For more than 3 agents, we turn to heuristic solutions and propose a new approach to designing redistribution mechanisms.

Optimizing Affine Maximizer Auctions via Linear Programming: An Application to Revenue Maximizing Mechanism Design for Zero-Day Exploits Markets.

Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.

Understanding the heterogeneity of contributors in bug bounty programs

When developing and maintaining a software project, many issues about bug fixing or feature addition are reported on the Bug Tracking System (BTS) and the Issue Tracking System (ITS). Bountysource is a web founding platform that awards developers who have solved issues on the BTS/ITS. Users can post a bounty for the issues, and a developer who solves the issue can get that bounty. This research analyzes Bountysource to clarify how bounties act in open source software projects and discusses further research topics in open-source bounties.

Competitive VCG Redistribution Mechanism for Public Project Problem

Optimizing within the affine maximizer auctions (AMA) is an effective approach for revenue maximizing mechanism design. The AMA mechanisms are strategy-proof and individually rational (if the agents’ valuations for the outcomes are nonnegative). Every AMA mechanism is characterized by a list of parameters. By focusing on the AMA mechanisms, we turn mechanism design into a value optimization problem, where we only need to adjust the parameters. We propose a linear programming based heuristic for optimizing within the AMA family. We apply our technique to revenue maximizing mechanism design for zero-day exploit markets. We show that due to the nature of the zero-day exploit markets, if there are only two agents (one offender and one defender), then our technique generally produces a near optimal mechanism: the mechanism’s expected revenue is close to the optimal revenue achieved by the optimal strategy-proof and individually rational mechanism (not necessarily an AMA mechanism).

Cost Sharing Security Information with Minimal Release Delay

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.

Speed up Automated Mechanism Design by Sampling Worst-Case Profiles: An Application to Competitive VCG Redistribution Mechanism for Public Project Problem

The VCG mechanism has many nice properties, and can be applied to a wide range of social decision problems. One problem of the VCG mechanism is that even though it is efficient, its social welfare (agents’ total utility considering payments) can be low due to high VCG payments. VCG redistribution mechanisms aim to resolve this by redistributing the VCG payments back to the agents. Competitive VCG redistribution mechanisms have been found for various resource allocation settings. However, there has been almost no success outside of the scope of allocation problems. This paper focuses on another fundamental model - the public project problem. In Naroditskiy et al. 2012, it was conjectured that competitive VCG redistribution mechanisms exist for the public project problem, and one competitive mechanism was proposed for the case of three agents (unfortunately, both the mechanism and the techniques behind it do not generalize to cases with more agents). In this paper, we propose a competitive mechanism for general numbers of agents, relying on new techniques.

Individually Rational Strategy-Proof Social Choice with Exogenous Indifference Sets

We study a cost sharing problem derived from bug bounty programs, where agents gain utility by the amount of time they get to enjoy the cost shared information. Once the information is provided to an agent, it cannot be retracted. The goal, instead of maximizing revenue, is to pick a time as early as possible, so that enough agents are willing to cost share the information and enjoy it for a premium time period, while other agents wait and enjoy the information for free after a certain amount of release delay. We design a series of mechanisms with the goal of minimizing the maximum delay and the total delay. Under prior-free settings, our final mechanism achieves a competitive ratio of 4 in terms of maximum delay, against an undominated mechanism. Finally, we assume some distributions of the agents’ valuations, and investigate our mechanism’s performance in terms of expected delays.

Erratum to: Prediction Mechanisms That Do Not Incentivize Undesirable Actions

Computationally Feasible Automated Mechanism Design (CFAMD) combines manual mechanism design and optimization.