A study by HackerOne has revealed important details pertaining to bug bounty programs. These programs are when companies pay freelance security researchers to discover and report any problems with their systems. Security researchers are mostly not motivated by money. They have a low price elasticity of 0.1-0.2, meaning that even companies with small budgets can gain advantages. A company’s size and brand don’t greatly affect how many vulnerability reports they get, which means smaller companies can use these programs well. The finance, retail, and healthcare sectors usually get fewer reports, but this isn’t a strong finding. As programs get older, they get fewer reports because the easier vulnerabilities get found first. It’s also important to mention that when new companies join bug bounty platforms, it does not hurt the number of reports received by existing companies. The study points out that bug bounties are a cheap way to improve cybersecurity, especially for companies with little money, and helps with the lack of skilled cybersecurity workers. However, the researchers admit that their model only explains 40% of what they see, showing that more research is needed to fully understand how bug bounties work.