A\u00a0study by HackerOne\u00a0has\u00a0revealed\u00a0important\u00a0details\u00a0pertaining\u00a0to\u00a0bug bounty programs.\u00a0These\u00a0programs are when\u00a0companies pay freelance security researchers to\u00a0discover\u00a0and report\u00a0any\u00a0problems\u00a0with\u00a0their systems. Security researchers are\u00a0mostly\u00a0not\u00a0motivated by\u00a0money.\u00a0They\u00a0have\u00a0a low price elasticity of 0.1-0.2, meaning\u00a0that\u00a0even companies with\u00a0small\u00a0budgets can\u00a0gain advantages. A company’s size and brand\u00a0don’t\u00a0greatly\u00a0affect\u00a0how\u00a0many\u00a0vulnerability reports\u00a0they get,\u00a0which\u00a0means\u00a0smaller companies can\u00a0use these programs\u00a0well.\u00a0The\u00a0finance, retail, and healthcare sectors\u00a0usually\u00a0get\u00a0fewer reports,\u00a0but\u00a0this\u00a0isn’t\u00a0a\u00a0strong finding. As programs\u00a0get older, they\u00a0get\u00a0fewer reports because\u00a0the\u00a0easier\u00a0vulnerabilities\u00a0get\u00a0found\u00a0first.\u00a0It’s\u00a0also important to mention that when\u00a0new companies\u00a0join\u00a0bug bounty platforms,\u00a0it\u00a0does\u00a0not\u00a0hurt the number of reports received by\u00a0existing companies. The study\u00a0points\u00a0out that\u00a0bug bounties\u00a0are\u00a0a\u00a0cheap\u00a0way to improve\u00a0cybersecurity, especially for companies with\u00a0little\u00a0money,\u00a0and\u00a0helps with\u00a0the\u00a0lack\u00a0of skilled\u00a0cybersecurity\u00a0workers. However, the researchers\u00a0admit\u00a0that their model only explains 40% of\u00a0what\u00a0they\u00a0see,\u00a0showing\u00a0that\u00a0more research is needed to fully understand\u00a0how\u00a0bug\u00a0bounties\u00a0work.<\/p>\n","protected":false},"excerpt":{"rendered":"
A\u00a0study by HackerOne\u00a0has\u00a0revealed\u00a0important\u00a0details\u00a0pertaining\u00a0to\u00a0bug bounty programs.\u00a0These\u00a0programs are when\u00a0companies pay freelance security researchers to\u00a0discover\u00a0and report\u00a0any\u00a0problems\u00a0with\u00a0their systems. Security researchers are\u00a0mostly\u00a0not\u00a0motivated by\u00a0money.\u00a0They\u00a0have\u00a0a low price elasticity of 0.1-0.2, meaning\u00a0that\u00a0even companies with\u00a0small\u00a0budgets can\u00a0gain advantages. A company’s size and brand\u00a0don’t\u00a0greatly\u00a0affect\u00a0how\u00a0many\u00a0vulnerability reports\u00a0they get,\u00a0which\u00a0means\u00a0smaller companies can\u00a0use these programs\u00a0well.\u00a0The\u00a0finance, retail, and healthcare sectors\u00a0usually\u00a0get\u00a0fewer reports,\u00a0but\u00a0this\u00a0isn’t\u00a0a\u00a0strong finding. As programs\u00a0get older, they\u00a0get\u00a0fewer reports because\u00a0the\u00a0easier\u00a0vulnerabilities\u00a0get\u00a0found\u00a0first.\u00a0It’s\u00a0also important to mention that… <\/p>\n