This article, “Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties,” by Kiran Sridhar and Ming Ng, discusses the use of bug bounty policies to improve cybersecurity.  They present bug bounty policies as something that relates cybersecurity to economics, because they’re based on cost/benefits principles.  This journal article is based on data from the bug bounty platform HackerOne.

The authors begin by reviewing literature on bug bounties.  They admit that bug bounty programs are relatively new; this is due to a limited amount of publicly available data about them.  The programs offer financial rewards to ethical hackers for discovering and reporting security vulnerabilities.  However, there is not a clear market price for a bounty amount, because there isn’t a way to immediately determine “how exclusive a bug is” (Sridhar & Ng, 2021).  Companies can benefit from bug bounty programs, because they can help them locate vulnerabilities that they might not otherwise find, and it can also help to raise awareness of security issues.

The authors then present their own findings from a study of HackerOne data. They found that the average annual cost of operating a bug bounty program is less than the cost of hiring two additional software engineers in the United Kingdom (Sridhar & Ng, 2021).  Additionally, the average program reveals 156 unique vulnerabilities (Sridhar & Ng, 2021).  However, the article states that estimates don’t include the costs of HackerOne subscriptions or program management, as well as the internal costs of vulnerability reports (Sridhar & Ng, 2021).

The authors conclude by discussing the limitations of their study. They note that their study was based on data from a single bug bounty platform, so future research would be needed to “determine hacker supply” (Sridhar & Ng, 2021).  Additional research could also help to explain how bug bounty markets work, which would enhance our understanding of this particular cybersecurity tool.

References

Sridhar, K., & Ng, M. (2021, March 12). Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties. Journal of Cybersecurity, Volume 7(Issue 1). https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453