Mekhi Booker
Old Dominion University
CYSE201S
April 3rd, 2024

The article explores the effectiveness of bug bounty programs in improving cybersecurity across organizations, addressing both practical and theoretical rationales behind their implementation. It discusses the global shortage of cybersecurity professionals, particularly affecting smaller enterprises, and the role bug bounties play in mitigating this shortage by engaging freelance security researchers. Theoretical perspectives, such as Linus’s Law, suggest that bug bounties enable companies to discover vulnerabilities that may be overlooked by internal teams, emphasizing the importance of diverse skill sets and testing methods. The data shows a regression analysis to examine various factors influencing the number of valid vulnerability reports received by bug bounty programs. Key findings include the price inelasticity of hacker supply, indicating that hackers are motivated by non-monetary factors, the insignificant impact of brand profile and revenue on vulnerability reports, and industry-specific effects on the number of reports received. The analysis also considers the influence of new programs, the decline in reports over time, and unexplained variations in vulnerability reporting. The study concludes by emphasizing the need for further research to understand bug bounty markets comprehensively and suggests avenues for future investigation.