A later module addresses cybersecurity policy through a social science framework. At this point,
attention can be drawn to one type of policy, known as bug bounty policies. These policies pay
individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the
vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their
penetration testing skills. The policies relate to economics in that they are based on
cost/benefits principles. Read this
article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=trueLinks
to an external site. and write a summary reaction to the use of the policies in your
journal. Focus primarily on the literature review and the discussion of the findings.
The article “Hacking for good: Leveraging HackerOne data to develop an economic model of
Bug Bounties” looks at the efficiency of bug bounty programs through an economic perspective
that focusses on how these programs operate within the gig economy. In the literature review,
the authors emphasize how bug bounties have been commended as cost efficient tools for
cybersecurity, allowing companies to crowdsource vulnerability identification from ethical
hackers. The review also talks about economic theories like price elasticity and non-monetary
motivation, setting up a foundation for understanding why security researchers choose to
participate in these programs. The study showed interesting data, proposing that most ethical
hackers are motivated by more than just financial incentives, as reflected in the low-price
elasticity of supply. The study finds that a company’s revenue or popularity doesn’t significantly
affect the number of valid vulnerabilities it receives, suggesting that smaller or less recognized
organizations can benefit just as much from bug bounty programs as larger firms. However,
companies in certain industries like finance, retail, and healthcare tend to receive fewer valid
reports. Over time, programs tend to receive fewer valid bug reports, possibly because the
most detectible vulnerabilities have already been discovered. Expanding the code base
available for testing could help combat this decline. Overall, the findings support the idea that
bug bounty programs can be both economically sustainable and effective, especially when
designed to maintain engagement over time.