VeriOSS: Using the Blockchain to Foster Bug Bounty Programs

Authors Andrea Canidio , Gabriele Costa , Letterio Galletta

Thumbnail PDF


  • Filesize: 0.51 MB
  • 14 pages

Document Identifiers

Author Details

Andrea Canidio
  • IMT School for Advanced Studies, Lucca, Italy
  • INSEAD, Fontainebleau, France
Gabriele Costa
  • IMT School for Advanced Studies, Lucca, Italy
Letterio Galletta
  • IMT School for Advanced Studies, Lucca, Italy

Cite AsGet BibTex

Andrea Canidio, Gabriele Costa, and Letterio Galletta. VeriOSS: Using the Blockchain to Foster Bug Bounty Programs. In 2nd International Conference on Blockchain Economics, Security and Protocols (Tokenomics 2020). Open Access Series in Informatics (OASIcs), Volume 82, pp. 6:1-6:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021)


Nowadays software is everywhere and this is particularly true for free and open source software (FOSS). Discovering bugs in FOSS projects is of paramount importance and many bug bounty programs attempt to attract skilled analysts by promising rewards. Nevertheless, developing an effective bug bounty program is challenging. As a consequence, many programs fail to support an efficient and fair bug bounty market. In this paper, we present VeriOSS, a novel bug bounty platform. The idea behind VeriOSS is to exploit the blockchain technology to develop a fair and efficient bug bounty market. To this aim, VeriOSS combines formal guarantees and economic incentives to ensure that the bug disclosure is both reliable and convenient for the market actors.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Software and its engineering → Formal software verification
  • Security and privacy → Economics of security and privacy
  • Bug Bounty
  • Decentralized platforms
  • Symbolic-reverse debugging


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Kenneth Joseph Arrow. Economic welfare and the allocation of resources for invention. In Readings in industrial economics, pages 219-236. Springer, 1972. Google Scholar
  2. Roberto Baldoni, Emilio Coppa, Daniele Cono D'Elia, Camil Demetrescu, and Irene Finocchi. A survey of symbolic execution techniques. ACM Comput. Surv., 51(3):50:1-50:39, May 2018. Google Scholar
  3. Marcello M. Bonsangue and Joost N. Kok. The weakest precondition calculus: Recursion and duality. Form. Asp. Comput., 6(1):788-800, November 1994. Google Scholar
  4. George Coker, Joshua D. Guttman, Peter Loscocco, Amy L. Herzog, Jonathan K. Millen, Brian O'Hanlon, John D. Ramsdell, Ariel Segall, Justin Sheehy, and Brian T. Sniffen. Principles of remote attestation. Int. J. Inf. Sec., 10(2):63-81, 2011. Google Scholar
  5. Chris Dannen. Introducing Ethereum and Solidity. Apress, Berkely, CA, USA, 1st edition, 2017. Google Scholar
  6. Leonardo De Moura and Nikolaj Bjørner. Satisfiability modulo theories: Introduction and applications. Commun. ACM, 54(9):69-77, September 2011. Google Scholar
  7. Dorothy E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236-243, May 1976. Google Scholar
  8. Cormac Flanagan, Cormac Flanagan, and James B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '01, pages 193-205. ACM, 2001. Google Scholar
  9. Vivek Haldar, Deepak Chandra, and Michael Franz. Semantic remote attestation: A virtual machine directed approach to trusted computing. In Proceedings of the 3rd Conference on Virtual Machine Research And Technology Symposium - Volume 3, VM'04, pages 3-3. USENIX Association, 2004. Google Scholar
  10. Carmit Hazay and Yehuda Lindell. Efficient Secure Two-Party Protocols: Techniques and Constructions. Springer-Verlag, Berlin, Heidelberg, 1st edition, 2010. Google Scholar
  11. Johannes Hörner and Andrzej Skrzypacz. Selling information. Journal of Political Economy, 124(6):1515-1562, 2016. Google Scholar
  12. Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. Frama-C: A software analysis perspective. Formal Aspects of Computing, 27(3):573-609, May 2015. Google Scholar
  13. Gergely Kovásznai, Andreas Fröhlich, and Armin Biere. On the complexity of fixed-size bit-vector logics with binary encoded bit-width. In Pascal Fontaine and Amit Goel, editors, SMT 2012. 10th International Workshop on Satisfiability Modulo Theories, volume 20 of EPiC Series in Computing, pages 44-56. EasyChair, 2013. Google Scholar
  14. Bertrand Meyer. Contract-driven development. In Proceedings of the 10th International Conference on Fundamental Approaches to Software Engineering, FASE'07, pages 11-11, Berlin, Heidelberg, 2007. Springer-Verlag. Google Scholar
  15. Aybek Mukhamedov, Steve Kremer, and Eike Ritter. Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model. In Andrew S. Patrick and Moti Yung, editors, Financial Cryptography and Data Security, pages 255-269, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg. Google Scholar
  16. Suzette Person, Guowei Yang, Neha Rungta, and Sarfraz Khurshid. Directed incremental symbolic execution. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 504-515. ACM, 2011. Google Scholar
  17. Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1-2:34, March 2012. Google Scholar
  18. Glynn Winskel. The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge, MA, USA, 1993. Google Scholar
  19. Daniel Davis Wood. Ethereum: A Secure Decentralised Generalised Transaction Ledger, 2014. (White paper). Google Scholar