Hailey Caram

A later module addresses cybersecurity policy through a social science framework.  At this point, attention can be drawn to one type of policy, known as bug bounty policies.  These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure.  To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills.  The policies relate to economics in that they are based on cost/benefits principles.  Read this article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true  and write a summary reaction to the use of the policies in your journal.  Focus primarily on the literature review and the discussion of the findings.

This study explores bug bounty programs, which are a practical (and cost-effective) way for organizations to boost their cybersecurity posture by allowing ethical hackers to try and exploit and report on their vulnerabilities. By finding and explaining weak spots within the network, companies can strengthen their cybersecurity posture before hackers with ill intent can infiltrate.Two benefits of bug bounty programs are pointed out by the literature review: they offer external skills that may not be available within the company and they help mitigate the shortage of cybersecurity professionals, especially in smaller companies (Sridhar & Ng, 2021). 

The study shows that ethical hackers aren’t strongly motivated by financial gain (Sridhar & Ng, 2021), meaning that even smaller companies with strict budgets can still benefit from their expertise. Another important thing to consider is that the size or age of a company does not affect the quality or number of vulnerabilities that are reported to them. This information shows that bug bounty programs can be of value no matter how small or big a company is.  

One difficulty that was mentioned was that older programs usually see a decline in the amount of reports they get over time, this is probably due to the fact that most bugs have already been identified and resolved. In hopes of keeping bug bounty programs active, companies could benefit from expanding the landscape in which the ethical hackers are allowed to attempt exploitation. I found it interesting that even with the growth of new bug bounties, it does not reduce the participation in old ones.

Bug bounties can be extremely useful in improving the overall cybersecurity posture of a company. They allow for companies of all sizes, ages, and reputations to benefit in a way that does not have a significant financial impact.

References

Sridhar, K., & Ng, M. (2021). Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties. Journal of Cybersecurity, 7(1). https://doi.org/10.1093/cybsec/tyab007