{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2017:XHBKWV6WZYMV53TJ52JN5467WN","short_pith_number":"pith:XHBKWV6W","canonical_record":{"source":{"id":"1709.06224","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-19T01:53:33Z","cross_cats_sorted":[],"title_canon_sha256":"b12791cd026a1ad4ac4525eca6136edab9b96f6163dfb641376682b47f497312","abstract_canon_sha256":"6d98a1266620262d90dc7c8ce64b16cd09ad5fd0e5262fe07c51351d41673505"},"schema_version":"1.0"},"canonical_sha256":"b9c2ab57d6ce195eee69ee92def3dfb366de1479870d6cbd4c67c1056358b270","source":{"kind":"arxiv","id":"1709.06224","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.06224","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"arxiv_version","alias_value":"1709.06224v1","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.06224","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"pith_short_12","alias_value":"XHBKWV6WZYMV","created_at":"2026-05-18T12:31:53Z"},{"alias_kind":"pith_short_16","alias_value":"XHBKWV6WZYMV53TJ","created_at":"2026-05-18T12:31:53Z"},{"alias_kind":"pith_short_8","alias_value":"XHBKWV6W","created_at":"2026-05-18T12:31:53Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2017:XHBKWV6WZYMV53TJ52JN5467WN","target":"record","payload":{"canonical_record":{"source":{"id":"1709.06224","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-19T01:53:33Z","cross_cats_sorted":[],"title_canon_sha256":"b12791cd026a1ad4ac4525eca6136edab9b96f6163dfb641376682b47f497312","abstract_canon_sha256":"6d98a1266620262d90dc7c8ce64b16cd09ad5fd0e5262fe07c51351d41673505"},"schema_version":"1.0"},"canonical_sha256":"b9c2ab57d6ce195eee69ee92def3dfb366de1479870d6cbd4c67c1056358b270","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:34:53.904625Z","signature_b64":"ggSQv/qGtTrWEKyn19l7mbdFpV/QVNbGDjJJQMUyCykzVysz6jCZGy6l929k/0CMmOFnAx8xIrrG603BDZLsBw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b9c2ab57d6ce195eee69ee92def3dfb366de1479870d6cbd4c67c1056358b270","last_reissued_at":"2026-05-18T00:34:53.903830Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:34:53.903830Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1709.06224","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:34:53Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"WBMDpeI6pPv3xaUDyE0OkjCCPssdizRbrIWzfzxCOW0Q1L8VI3yGO5xFCWZhsgQhSw+quXIALtKDlQFceCp4Bg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-08T20:33:54.194195Z"},"content_sha256":"eea4f2e605dbb0b9e385a2f844e3b5a8c25933eb06652ade7f722f5a2328c89d","schema_version":"1.0","event_id":"sha256:eea4f2e605dbb0b9e385a2f844e3b5a8c25933eb06652ade7f722f5a2328c89d"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2017:XHBKWV6WZYMV53TJ52JN5467WN","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Understanding the Heterogeneity of Contributors in Bug Bounty Programs","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.SE","authors_text":"Hideaki Hata, M. Ali Babar, Mingyu Guo","submitted_at":"2017-09-19T01:53:33Z","abstract_excerpt":"Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.06224","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:34:53Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"s0QQb9v+678qIRKjXxQoERjtzfyYw34nsD9KH/Tz92BSfmslBu7nNRw6YqWoasl8o6ludsDOvBYLFCm380UqCg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-08T20:33:54.194896Z"},"content_sha256":"db3bfdcd6192dab8ab3390d67693f4b051cffc2071872c1533c05bc4eed4684b","schema_version":"1.0","event_id":"sha256:db3bfdcd6192dab8ab3390d67693f4b051cffc2071872c1533c05bc4eed4684b"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/XHBKWV6WZYMV53TJ52JN5467WN/bundle.json","state_url":"https://pith.science/pith/XHBKWV6WZYMV53TJ52JN5467WN/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/XHBKWV6WZYMV53TJ52JN5467WN/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-08T20:33:54Z","links":{"resolver":"https://pith.science/pith/XHBKWV6WZYMV53TJ52JN5467WN","bundle":"https://pith.science/pith/XHBKWV6WZYMV53TJ52JN5467WN/bundle.json","state":"https://pith.science/pith/XHBKWV6WZYMV53TJ52JN5467WN/state.json","well_known_bundle":"https://pith.science/.well-known/pith/XHBKWV6WZYMV53TJ52JN5467WN/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2017:XHBKWV6WZYMV53TJ52JN5467WN","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"6d98a1266620262d90dc7c8ce64b16cd09ad5fd0e5262fe07c51351d41673505","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-19T01:53:33Z","title_canon_sha256":"b12791cd026a1ad4ac4525eca6136edab9b96f6163dfb641376682b47f497312"},"schema_version":"1.0","source":{"id":"1709.06224","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.06224","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"arxiv_version","alias_value":"1709.06224v1","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.06224","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"pith_short_12","alias_value":"XHBKWV6WZYMV","created_at":"2026-05-18T12:31:53Z"},{"alias_kind":"pith_short_16","alias_value":"XHBKWV6WZYMV53TJ","created_at":"2026-05-18T12:31:53Z"},{"alias_kind":"pith_short_8","alias_value":"XHBKWV6W","created_at":"2026-05-18T12:31:53Z"}],"graph_snapshots":[{"event_id":"sha256:db3bfdcd6192dab8ab3390d67693f4b051cffc2071872c1533c05bc4eed4684b","target":"graph","created_at":"2026-05-18T00:34:53Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative ","authors_text":"Hideaki Hata, M. Ali Babar, Mingyu Guo","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-19T01:53:33Z","title":"Understanding the Heterogeneity of Contributors in Bug Bounty Programs"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.06224","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:eea4f2e605dbb0b9e385a2f844e3b5a8c25933eb06652ade7f722f5a2328c89d","target":"record","created_at":"2026-05-18T00:34:53Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"6d98a1266620262d90dc7c8ce64b16cd09ad5fd0e5262fe07c51351d41673505","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2017-09-19T01:53:33Z","title_canon_sha256":"b12791cd026a1ad4ac4525eca6136edab9b96f6163dfb641376682b47f497312"},"schema_version":"1.0","source":{"id":"1709.06224","kind":"arxiv","version":1}},"canonical_sha256":"b9c2ab57d6ce195eee69ee92def3dfb366de1479870d6cbd4c67c1056358b270","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b9c2ab57d6ce195eee69ee92def3dfb366de1479870d6cbd4c67c1056358b270","first_computed_at":"2026-05-18T00:34:53.903830Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:34:53.903830Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"ggSQv/qGtTrWEKyn19l7mbdFpV/QVNbGDjJJQMUyCykzVysz6jCZGy6l929k/0CMmOFnAx8xIrrG603BDZLsBw==","signature_status":"signed_v1","signed_at":"2026-05-18T00:34:53.904625Z","signed_message":"canonical_sha256_bytes"},"source_id":"1709.06224","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:eea4f2e605dbb0b9e385a2f844e3b5a8c25933eb06652ade7f722f5a2328c89d","sha256:db3bfdcd6192dab8ab3390d67693f4b051cffc2071872c1533c05bc4eed4684b"],"state_sha256":"be63157802fcb3d86f8c11ceedfbb319f7fa87594fa8972cf92e44043568cd4d"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"AlvOiXeOYexVQSaTEZDTv2weJHNyHhZQnzArCluDxCpN0KlTnWbIZbGaFyswHIb5VrfXuvOSDgSX2zBvbQV9BQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-08T20:33:54.199305Z","bundle_sha256":"093c7d686240e9335586d3b6af22a55d81195de2ff90ead5fa668c7f2a3535e5"}}