As I was reading the article, I was fascinated, and had no idea about bug bounty

policies or programs’ real effect at the business scale. I can understand why a lot of

businesses are dubious about third-party companies reporting cybersecurity flaws and

vulnerabilities. Nobody wants to get strangers into their own backyards and find out their

most intimate secrets per say, this fear is preventing companies from finding blind spots.

As I keep on reading, the point of view is swiftly changing to the point that it is becoming

a big business that has reached hundreds of millions of dollars in bounty revenue.

Companies are even taking things a step further by taking part in bug bounty markets,

where independent security researchers—also known as ethical hackers—are hired to

locate flaws in business IT systems, and code bases and persuasively communicate

vulnerabilities for them to be able to create better cybersecurities in their systems.

But again companies are trying to keep their evaluations and vulnerabilities private,

which prevents future studies, the lack of paperwork is limited to none, is not publicly

available, and there is a struggle to establish research so it has to be based on

observations which might not be as effective as the raw data from a valid report.

Learning how big companies are being successful by implementing these policies, and

how ethical hackers are getting compensated, I might want to head in that job field to

get hefty rewards while companies still maintain a cost-effective budget, like stated in

the reading it is cheaper than hiring two full time IT positions.

This research paper has the economic principles written all over it, by literally explaining

how beneficial cost-benefit analysis comes into play by deciding the reward money and

the loss by limiting hacks that will interrupt operations for the company. It is just amazing

how everything comes into play all together.

The findings of the research are fascinating, stating the obvious. That bug bounties are

very effective tools, no matter the size of the company, it discovered that depending on

the type of company, some might receive fewer reports.

Companies need to make an effort to make at least some of the findings available, to be

able to create a better understanding, because we know very little about this market. By

increasing our knowledge, ethical hacking might be a new way to combat cyberattacks,

enhancing our comprehension of an increasingly needed new cybersecurity tool.Resource:

Kiran Sridhar, Ming Ng, Hacking for good: Leveraging HackerOne data to develop an

economic model of Bug Bounties, Journal of Cybersecurity, Volume 7, Issue 1, 2021,

tyab007, https://doi.org/10.1093/cybsec/tyab007