In the Journal article “Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties” (2021) Kiran Sridhar and Ming Ng found some very interesting things about the bug bounty policies.
The study found that generally companies that use bug bounties benefit from the transaction. Although the researchers found a slight decrease in in valid vulnerabilities in some sectors like retail, finance and healthcare, generally policies that allow for penetrative testing and evaluation proved a positive cost for companies. An alarming number of companies lack vulnerability disclosure policies (VDPs) which end up hurting them in the long run encouraging blind spots because those outside the organization that find vulnerabilities can be litigated against.
After reading the findings of the study, I think the growth of the bug bounty industry and the use of bug bounty policies is a good investment for companies and at the same time, a great opportunity for cybersecurity professionals and ethical hackers to grow their skills. More companies should enact these policies, because there are very little barriers to entry. The study found that money is not an issue, finding that most hackers are motivated by non-monetary factors such as experience and recognition. The size of a company or brand presence of a company also did not matter, so small and large companies can benefit from the outside audit.
References:
Sridhar, K., & Ng, M. (2021). Hacking for good: Leveraging hackerone data to develop an economic model of Bug Bounties. Journal of Cybersecurity, 7(1). https://doi.org/10.1093/cybsec/tyab007