The text discusses the evolving landscape of cybersecurity vulnerability disclosure policies (VDPs) and the increasing reliance on bug bounty programs. It highlights the prevailing skepticism among firms, with a significant percentage lacking VDPs, leading to a reluctance among security researchers to disclose vulnerabilities due to liability concerns.

The literature review emphasizes the growing shift in attitudes, with recommendations from authorities like the US Deputy Attorney General and directives from the Department of Homeland Security for government agencies to adopt VDPs. Bug bounty programs, where freelance security researchers are rewarded for finding vulnerabilities, are gaining popularity, evident in platforms like HackerOne reaching significant payment milestones.

The paper addresses a gap in the literature, acknowledging limited empirical studies on bug bounty programs’ impact. It presents a comprehensive analysis based on a substantial dataset from HackerOne, employing regression models to explore factors influencing the number of valid vulnerability reports. The findings suggest that companies, regardless of size or profile, can benefit from bug bounty programs, providing valuable insights into cybersecurity weaknesses.

The identified factors include program age, industry, brand profile, bounty amount, time to resolution, revenue, scope, new programs, and public vs. private programs. The article’s empirical findings reveal insights such as hackers’ price insensitivity, the lack of significant impact from a company’s size or profile, and the diminishing number of reports as bug bounty programs age.

However, the paper acknowledges limitations, including potential omitted variables, such as report severity and scope, and a 40% explanatory gap in the regression model. The conclusion underscores the importance of bug bounty programs, raising questions for future research and emphasizing the need for a more thorough understanding of this cybersecurity landscape.

The structure of the article is outlined, featuring sections on background, methodology, empirical results, implications, and potential future research. The paper draws on both literature and interviews, combining theoretical insights with practical perspectives from HackerOne employees, security researchers, and a former chief security officer.

In summary, the paper contributes significantly to the literature on bug bounty programs, offering empirical evidence, identifying key factors, and emphasizing the practical benefits for companies aiming to enhance their cybersecurity posture.

Source:
Kiran Sridhar, Ming Ng, Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties, Journal of Cybersecurity, Volume 7, Issue 1, 2021, tyab007, https://doi.org/10.1093/cybsec/tyab007