EPS
← All batches·2605.13100

Security Incentivization: An Empirical Study of how Micropayments Impact Code Security

topic: current_projecttop score: 100released: 2026-05-14first surfaced: 2026-05-14arXivPDFlinked_to_results2026-05-14

Authors: Stefan Rass, Martin Pinzger, Rainer W. Alexandrowicz et al.

arXiv · PDF

Summary

arXiv:2605. 13100v1 Announce Type: new Abstract: Security often receives insufficient developer attention because it does not directly generate visible value, leading to underinvestment in practice.

Relevance

Read next because Security Incentivization: An Empirical Study of how Micropayments Impact Code Security overlaps with clean result "Language-mismatch LoRA SFT on Qwen2.5-7B leaks the trained completion language into bystander directives the model was never trained on, absent under same-language SFT (LOW confidence)", clean result "Coupling evil personas with wrong answers fails to protect Qwen2.5-7B from EM-induced alignment collapse — and the apparent capability ordering across coupling conditions is mostly eval contamination (LOW confidence)", clean result "Only continuous soft prefixes hit both EM axes at once on Qwen-2.5-7B-Instruct: discrete prompt searches split between the alignment objective and the distributional objective, and both discretizations of the soft prefix collapse (MODERATE confidence)". Matching terms: text, rect, code, under, eval, line, rate, follow-up. Source: arxiv cs.CR (Cryptography and Security).

Abstract

arXiv:2605.13100v1 Announce Type: new Abstract: Security often receives insufficient developer attention because it does not directly generate visible value, leading to underinvestment in practice. We evaluate a countermeasure by team-level incentives tied to measurable security improvements over time. Our semi-automated mechanism aggregates static analysis findings from Bearer, Detekt, and mobsfscan, computes security issue density, and rewards teams based on the relative improvement ratio across sprints, enabling repeatable, scriptable reporting at scale. In a controlled course experiment with 84 students across 14 teams, we compared a security-incentivized condition, in which bonus points were linked to security scanner results, against a control condition with an otherwise identical grading scheme. The treatment group achieved significantly lower security issue density overall (beta regression: $\beta = -0.396, p = 0.0342$), indicating improved measurable security under incentivization. After controlling for platform, we observed a marked front-end/back-end disparity, with back-ends showing fewer issues and higher improvement ratios under incentives, highlighting heterogeneous effects across stack layers. Notably, these gains were not the byproduct of inflated code volume, as lines of code increased similarly across groups over time. The measurement pipeline and toolchain proved feasible for scripting and automation, supporting scalable adoption in practice. Our results suggest that aligning rewards with automated security metrics can measurably improve code security and merit follow-up in professional contexts and longer development lifecycles.