But bounty programs have existed for some time both with public and private programs. Public bug bounty programs allow any person to submit vulnerabilities found, whereas private programs rely on specific contracts to specific hackers. The use of these programs is to find vulnerabilities within information systems, and report them. This could be to allow companies to create a patch in order to fix their product, or to ensure the security of a company using third parties applications to ensure their systems are secure. With that being said, this has an economical impact. This article states that a study by Verizon found that most small businesses shut down after 6 months due to a security breach. Without the means to hire a permanent cybersecurity specialist, this leaves them vulnerable. Being able to hire a freelance hacker to assess the companies infrastructure, as well as the applications hosted, could help them stay in business. These programs also show how monetary gain for these hackers is not a common factor. Though other factors were not shown, I would assume their main goal is to gain experience. Entry level cybersecurity jobs are hard to come by without experience. A degree no longer cuts it, you need to be able to jump in the deep end. Therefor, this allows them to hire a specialist within their budget. This also has shown to increase the amount of bugs reported by hackers, because they are hired for the job. The fear of repercussions is lessened by these programs, because they have a specific framework they must abide by. As long as they follow their framework and submit their finding, this is a legal process. This encourages the use of these tools in order to find find bugs, which can negatively impact an organization.
Kiran Sridhar, Ming Ng, Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties, Journal of Cybersecurity, Volume 7, Issue 1, 2021, tyab007, https://doi.org/10.1093/cybsec/tyab007