{"id":"https://openalex.org/W2966983806","doi":"https://doi.org/10.1145/3339252.3341495","title":"Productivity and Patterns of Activity in Bug Bounty Programs","display_name":"Productivity and Patterns of Activity in Bug Bounty Programs","publication_year":2019,"publication_date":"2019-08-09","ids":{"openalex":"https://openalex.org/W2966983806","doi":"https://doi.org/10.1145/3339252.3341495","mag":"2966983806"},"language":"en","primary_location":{"id":"doi:10.1145/3339252.3341495","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3339252.3341495","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 14th International Conference on Availability, Reliability and Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5001173841","display_name":"Donatello Luna","orcid":null},"institutions":[{"id":"https://openalex.org/I4210127623","display_name":"Ospedale di Circolo di Busto Arsizio","ror":"https://ror.org/03af1ns45","country_code":"IT","type":"healthcare","lineage":["https://openalex.org/I4210127623"]}],"countries":["IT"],"is_corresponding":true,"raw_author_name":"Donatello Luna","raw_affiliation_strings":["Tribunale di Busto Arsizio, Busto Arsizio, Varese, Italy"],"affiliations":[{"raw_affiliation_string":"Tribunale di Busto Arsizio, Busto Arsizio, Varese, Italy","institution_ids":["https://openalex.org/I4210127623"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047635330","display_name":"Luca Allodi","orcid":"https://orcid.org/0000-0003-1600-0868"},"institutions":[{"id":"https://openalex.org/I83019370","display_name":"Eindhoven University of Technology","ror":"https://ror.org/02c2kyt77","country_code":"NL","type":"education","lineage":["https://openalex.org/I83019370"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Luca Allodi","raw_affiliation_strings":["Eindhoven University of Technology, Eindhoven, Netherlands"],"affiliations":[{"raw_affiliation_string":"Eindhoven University of Technology, Eindhoven, Netherlands","institution_ids":["https://openalex.org/I83019370"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5080057892","display_name":"Marco Cremonini","orcid":"https://orcid.org/0000-0002-4031-9791"},"institutions":[{"id":"https://openalex.org/I189158943","display_name":"University of Milan","ror":"https://ror.org/00wjc7c48","country_code":"IT","type":"education","lineage":["https://openalex.org/I189158943"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Marco Cremonini","raw_affiliation_strings":["University of Milan, Milan, Italy"],"affiliations":[{"raw_affiliation_string":"University of Milan, Milan, Italy","institution_ids":["https://openalex.org/I189158943"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5001173841"],"corresponding_institution_ids":["https://openalex.org/I4210127623"],"apc_list":null,"apc_paid":null,"fwci":0.4976,"has_fulltext":false,"cited_by_count":12,"citation_normalized_percentile":{"value":0.63035473,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"10"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9965999722480774,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9957000017166138,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/productivity","display_name":"Productivity","score":0.7628035545349121},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.7087390422821045},{"id":"https://openalex.org/keywords/incentive","display_name":"Incentive","score":0.6476495862007141},{"id":"https://openalex.org/keywords/homogeneous","display_name":"Homogeneous","score":0.584033727645874},{"id":"https://openalex.org/keywords/software-bug","display_name":"Software bug","score":0.5755500197410583},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.547422468662262},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5383034944534302},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5304483771324158},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.435219943523407},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.4276672601699829},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.39121150970458984},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.34914255142211914},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.34645146131515503},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.2125469446182251},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.1840100884437561}],"concepts":[{"id":"https://openalex.org/C204983608","wikidata":"https://www.wikidata.org/wiki/Q2111958","display_name":"Productivity","level":2,"score":0.7628035545349121},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.7087390422821045},{"id":"https://openalex.org/C29122968","wikidata":"https://www.wikidata.org/wiki/Q1414816","display_name":"Incentive","level":2,"score":0.6476495862007141},{"id":"https://openalex.org/C66882249","wikidata":"https://www.wikidata.org/wiki/Q169336","display_name":"Homogeneous","level":2,"score":0.584033727645874},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.5755500197410583},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.547422468662262},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5383034944534302},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5304483771324158},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.435219943523407},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.4276672601699829},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.39121150970458984},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.34914255142211914},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.34645146131515503},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2125469446182251},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.1840100884437561},{"id":"https://openalex.org/C97355855","wikidata":"https://www.wikidata.org/wiki/Q11473","display_name":"Thermodynamics","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.0},{"id":"https://openalex.org/C139719470","wikidata":"https://www.wikidata.org/wiki/Q39680","display_name":"Macroeconomics","level":1,"score":0.0},{"id":"https://openalex.org/C175444787","wikidata":"https://www.wikidata.org/wiki/Q39072","display_name":"Microeconomics","level":1,"score":0.0},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.1145/3339252.3341495","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3339252.3341495","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 14th International Conference on Availability, Reliability and Security","raw_type":"proceedings-article"},{"id":"pmh:oai:pure.tue.nl:openaire_cris_publications/2dedf686-5add-48c9-a200-b75475248752","is_oa":false,"landing_page_url":"https://research.tue.nl/en/publications/2dedf686-5add-48c9-a200-b75475248752","pdf_url":null,"source":{"id":"https://openalex.org/S4406922641","display_name":"TU/e Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Luna, D, Allodi, L & Cremonini, M 2019, Productivity and patterns of activity in bug bounty programs : analysis of hackerone and Google vulnerability research. in Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019., 67, ACM International Conference Proceeding Series, Association for Computing Machinery, Inc., New York, 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, United Kingdom, 26/08/19. https://doi.org/10.1145/3339252.3341495","raw_type":"info:eu-repo/semantics/publishedVersion"},{"id":"pmh:oai:pure.tue.nl:publications/2dedf686-5add-48c9-a200-b75475248752","is_oa":false,"landing_page_url":"http://www.scopus.com/inward/record.url?scp=85071723355&partnerID=8YFLogxK","pdf_url":null,"source":{"id":"https://openalex.org/S4406922641","display_name":"TU/e Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Luna, D, Allodi, L & Cremonini, M 2019, Productivity and patterns of activity in bug bounty programs : analysis of hackerone and Google vulnerability research. in Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019., 67, ACM International Conference Proceeding Series, Association for Computing Machinery, Inc., New York, 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, United Kingdom, 26/08/19. https://doi.org/10.1145/3339252.3341495","raw_type":"info:eu-repo/semantics/publishedVersion"},{"id":"pmh:tue:oai:pure.tue.nl:publications/2dedf686-5add-48c9-a200-b75475248752","is_oa":false,"landing_page_url":"https://research.tue.nl/nl/publications/2dedf686-5add-48c9-a200-b75475248752","pdf_url":null,"source":{"id":"https://openalex.org/S4306401843","display_name":"Data Archiving and Networked Services (DANS)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1322597698","host_organization_name":"Royal Netherlands Academy of Arts and Sciences","host_organization_lineage":["https://openalex.org/I1322597698"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019","raw_type":"info:eu-repo/semantics/conferencepaper"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/8","score":0.6000000238418579,"display_name":"Decent work and economic growth"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":6,"referenced_works":["https://openalex.org/W1598505713","https://openalex.org/W1966106079","https://openalex.org/W2021348304","https://openalex.org/W2618991564","https://openalex.org/W2860610442","https://openalex.org/W4298134634"],"related_works":["https://openalex.org/W1978034799","https://openalex.org/W4283750846","https://openalex.org/W2100022726","https://openalex.org/W2007984522","https://openalex.org/W2003584227","https://openalex.org/W3048815537","https://openalex.org/W2167539342","https://openalex.org/W2352736757","https://openalex.org/W4384518368","https://openalex.org/W2061699859"],"abstract_inverted_index":{"In":[0],"this":[1,107],"work,":[2],"we":[3,83],"considered":[4],"two":[5],"well-known":[6],"bug":[7,48,123,140,170],"bounty":[8,49,171,179],"programs":[9,34,172,180],"-":[10,16],"HackerOne":[11,31,39],"and":[12,25,32,45,57,99,125,188,205],"Google":[13,60,70],"Vulnerability":[14,61],"Research":[15],"with":[17,51],"the":[18,43,81,92,115,151],"goal":[19],"of":[20,23,28,42,54,78,94,102,106,200,203],"investigating":[21],"patterns":[22,101],"activity":[24],"comparing":[26],"productivity":[27,86],"security":[29,55],"researchers.":[30],"Google's":[33],"differ":[35],"in":[36,138,185],"many":[37],"ways.":[38],"is":[40,64,109,148,160],"one":[41],"largest":[44],"most":[46],"successful":[47],"programs,":[50],"heterogeneous":[52],"membership":[53],"researchers":[56,95,137],"software":[58,126,189],"producers.":[59],"Research,":[62],"instead,":[63],"a":[65,74,165,197],"closed":[66],"program":[67],"for":[68],"selected":[69],"employees":[71],"working":[72],"on":[73,114],"more":[75,155],"homogeneous":[76,201],"range":[77],"software.":[79],"For":[80],"analysis,":[82],"introduced":[84],"three":[85],"metrics,":[87],"which":[88,191],"let":[89],"us":[90],"study":[91],"performance":[93],"under":[96],"different":[97,169],"perspectives":[98],"possible":[100],"activity.":[103],"A":[104],"contribution":[105],"work":[108],"to":[110,161,175],"shed":[111],"new":[112],"light":[113],"yet":[116],"not":[117,194],"well":[118],"understood":[119],"environment":[120],"represented":[121],"by":[122,135,154],"bounties":[124,141],"vulnerability":[127],"discovery":[128],"initiatives.":[129],"The":[130],"low-hanging":[131],"fruits":[132],"approach":[133,152],"adopted":[134,153],"unexperienced":[136],"open":[139],"has":[142],"been":[143],"often":[144],"discussed,":[145],"but":[146],"less":[147],"known":[149],"about":[150],"experienced":[156],"participants.":[157],"Another":[158],"result":[159],"have":[162],"shown":[163],"that":[164],"generic":[166],"comparison":[167],"between":[168],"may":[173],"lead":[174],"wrong":[176],"conclusions.":[177],"Bug":[178],"could":[181],"exhibits":[182],"large":[183],"variations":[184],"researcher":[186],"profiles":[187],"characteristics,":[190],"make":[192],"them":[193],"comparable":[195],"without":[196],"careful":[198],"examination":[199],"subsets":[202],"participants":[204],"incentive":[206],"mechanisms.":[207]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":1},{"year":2019,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2019-08-22T00:00:00"}