Drawing upon a comprehensive data set of bug bounty programs, we removed many of the sources of endogeneity plaguing research in the crowdsourced cybersecurity field and identified many of the factors that influence the quantity of valid vulnerability reports bug bounty programs receive. Our research had six significant findings. For the first time in academic literature, we calculated the elasticity of hacker supply. Hackers are relatively price insensitive, with an elasticity between 0.1 and 0.2 at the median. Second, we found that bug bounties are practical tools for companies of all sizes and levels of prominence. Third, we found that companies in specific industries received fewer reports, ceteris paribus, than companies in other industries. Fourth, we found that the number of new programs created in any given month is marginal.