Image from the report “Bug bounties for algorithmic harms?” Credit: AJL.
Researchers from the Algorithmic Justice League (AJL) have released a report which takes a detailed look at bug bounty programmes (BBPs) and how these could be used to address various kinds of socio-technical problems, including algorithmic harm.
BBPs are mechanisms that incentivize hackers to identify and report cybersecurity vulnerabilities. Hundreds of companies and organizations regularly use BBPs to buy security flaws from hackers. Now, BBPs have been adopted to address a wider spectrum of socio-technical harms and risks beyond security bugs.
However, as report authors Josh Kenway, Camille François, Sasha Costanza-Chock, Inioluwa Deborah Raji, and Joy Buolamwini note, the conditions under which BBPs might constitute appropriate mechanisms for addressing socio-technical concerns remain relatively unexamined.
To compile their report the authors held interviews with BBP experts and practitioners, they reviewed the existing literature, and they analysed historical and present-day approaches to vulnerability disclosure. There were three main lines of enquiry for the team. They considered how BBPs might be used to:
The five key takeaways from the report are as follows:
You can find the full pdf version of the report here. This includes more background information, findings and recommendations pertaining to the five key takeaways, interviews with experts, and a case study of Twitter’s recent bias bounty pilot.
Kenway, Josh, Camille François, Sasha Costanza-Chock, Inioluwa Deborah Raji, and Joy Buolamwini. Bug Bounties For Algorithmic Harms? Lessons from Cybersecurity Vulnerability Disclosure for Algorithmic Harms Discovery, Disclosure, and Redress. Washington, DC: Algorithmic Justice League. January 2022. Available at https://ajl.org/bugs.