This event has ended. Visit the official site or create your own event on Sched.
Navigation and Scheduling Note: Use the "Filter by Type" option to search for individual tracks (i.e. General, Information, Software, Transportation) as well as other types, such as plenary sessions and meal breaks. Please note that each track runs simultaneously. Track-specific sessions have distinct room locations, which will be updated shortly.

Back To Schedule
Monday, October 7 • 2:00pm - 2:45pm
Unconference 1 Topic Seed: A Valuable Flaw: Bug Bounty Programs, Software Maintenance, and Infrastructure Labor

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In 1995, Netscape launched a then-novel idea: a program that paid users for flaws they discovered in the most recent version of their Netscape Navigator web browser. Over the next two decades, “bug bounty” programs, as they are known, became commonplace: Google, Microsoft, Facebook, Starbucks, the Department of Defense, and hundreds of other organizations now routinely purchase flaws from thousands of individual security researchers across the globe. What was once radical is now typical: Bounty programs are a key way of organizing the work of software maintenance. The market for bugs alternately blurs, complements, and challenges other maintenance models (including open source and proprietary models). This paper offers a critical examination of how the market for bugs (partially) reorders the work of identifying and fixing flaws: It identifies how the invention of the market at once creates new forms of economic, legal, and technical precarity and new spaces for investigation, collaboration, and opportunity; and it analyzes the various social strategies that security researchers use to navigate and create stability within the market. The paper is based on data collected through ethnographic observation and indepth interviews with security researchers and other participants in bug bounty programs. As bounty programs become a de facto way of organizing and managing software maintenance (and are proposed as a balm for other sociotechnical flaws and failings), understanding what the market means for infrastructure labor is vital. This paper reports initial findings from an ongoing research project sponsored by Data & Society Research Institute and the National Science Foundation.

Monday October 7, 2019 2:00pm - 2:45pm EDT
5AB (2nd Floor)