Journal #13: A later module addresses cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article and write a summary reaction to the use of the policies in your journal. Focus primarily on the literature review and the discussion of the findings.

https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true

This is a study on bug bounties, which reward gig economy security researchers for finding flaws in corporate code, and demonstrates how economical these initiatives are. The study discovered that there is no discernible effect on the number of new businesses that join the platform and that businesses in the financial, retail, and healthcare industries get less legitimate vulnerabilities.

There are a few items that stood out to me in this article. One of the items from the background section states that many bounty hunters work part-time and 27% are full-time students averaging $800 a bounty. That was shocking to read as it was unexpected due to the field being very competitive. However, reading the next line where the students are typically freelance and can work with flexibility does help with digesting the information and is very encouraging to read .

Another point mentioned was the event of a collision. This article stated if one is too slow to report a vulnerability and another bounty hunter beats them they do not get compensated. This can lead to a lot of time wasted as it is then considered a duplicate. While it does make sense it is also upsetting as the time is wasted and they do not get paid for their time. If freelancing is a full-time position it can cause an impact. Lastly, in the findings, the author noted a theory by Alex Stamos seems consistent with the findings. This theory states that the reports given by hackers can be based on the monetary value of the information. For example, PII records are the most valuable as they can be sold on the dark web for a hefty price which is very concerning.