We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.

翻译：我们描述了一种机制，旨在为软件开发者创造公平且可解释的激励，以奖励其对产品安全的贡献。我们运用合作博弈论对风险管理流程中开发团队的行为进行建模，认为该团队会主动应对已知威胁，并据此依据其绩效获得微支付。通过（新的）对分摊公理基础的解读，夏普利值的应用在此处直接提供了自然的解释。由此产生的机制易于实施，并依赖于协作式软件开发中的标准工具，例如可用于 Git 仓库及其挖掘的工具。该微支付模型本身是确定性的，不依赖开发团队或企业范围之外的不确定信息，因此不包含关于对抗性激励或用户行为的假设，直至它们在该机制所属的风险管理过程中所扮演的角色。我们基于真实数据的一个实例来验证我们的模型。