I believe that bug bounty policies overall are an effective means to enhance ones cybersecurity, and can be a beneficial investment for most businesses. In the paper “Hacking for good: Leveraging HackerOne
data to develop an economic model of Bug Bounties”, the authors highlighted six of their key findings. First, they found that most hackers are largely motivated by non-monetary factors such as experience and reputation. Next, their study established that bug bounties can be beneficial for any and all companies regardless of size. Their third finding was that financial, health, and retail industries having notably lower reports of vulnerabilities per month because the reward of reporting could be lower than the profit they could make selling the vulnerability or data online. Fourth, HackerOne has been able to recruit more hackers which results in higher usage of and more time spent on their platform. The fifth finding discusses how older programs receive fewer reports and will continue to unless they increase their bounties. Lastly, the study fails to explain 96% of the variation programs receive in valid reports each month meaning we really don’t know much about bug bounty markets.