Systems and blockchains often have security vulnerabilities and can be attacked by adversaries, with potentially significant negative consequences. Therefore, infrastructure providers increasingly rely on bug bounty programs, where external individuals probe the system and report any vulnerabilities (bugs) in exchange for rewards (bounty). We develop a simple contest model of bug bounty. A group of individuals of arbitrary size is invited to undertake a costly search for bugs. The individuals differ with regard to their abilities, which we capture by different costs to achieve a certain probability to find bugs if any exist. Costs are private information. We study equilibria of the contest and characterize the optimal design of bug bounty schemes. In particular, the designer can vary the size of the group of individuals invited to search, add a paid expert, insert an artificial bug with some probability, and pay multiple prizes.

翻译：系统和区块链常常存在安全漏洞，可能遭受对手攻击，并带来潜在的严重负面后果。因此，基础设施提供商越来越依赖漏洞赏金计划，即邀请外部人员对系统进行探查，并报告发现的任何漏洞（错误），以换取奖励（赏金）。我们构建了一个简单的漏洞赏金竞赛模型。一组人数不定的受邀者需承担高昂成本来搜寻漏洞。个体能力存在差异，我们通过为达到一定概率发现漏洞（若存在）所需的不同成本来刻画这种异质性。成本属于私人信息。我们研究了该竞赛的均衡，并刻画了漏洞赏金方案的最优设计。具体而言，设计者可以调整受邀搜寻的群体规模、聘请付费专家、以一定概率植入人工漏洞，并设置多项奖励。