The article “Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties” talks in depth about bug bounty programs. Companies pay freelance security researchers to identify and clarify bugs in their codebases through these schemes. The literature review talks about the theoretical and practical benefits of bug bounties. It focuses on the fact that there aren’t enough cybersecurity workers in the world and that bug bounties can find holes in systems that internal teams might miss. The review also mentions factors that may affect the number of security researcher reports, such as the program’s age, industry, brand image, bounty amount, time to solve the problem, revenue, scope, new programs added, and whether it’s public or private.
The study’s results are important and have many aspects.
First, the study indicates that hackers aren’t really concerned about price. At the median, their price elasticity of supply is between 0.1 and 0.2, which suggests that they are motivated by things apart from money, like image and helping others. The result is good news for small businesses that don’t have many resources.
Second, the study indicates that the number of accurate reports doesn’t depend much on how much money the company makes or how well-known its brand is. This means that bug bounties work for companies of all sizes and levels of fame.
Third, companies in the healthcare, retail, and finance sectors get fewer true reports. This could be because it’s easy to make money off of weaknesses in these sectors.
Fourth, the number of new programs doesn’t have a big effect on the number of reports that come in. This evidence suggests that HackerOne has been able to attract more hackers and increase their involvement.
Fifth, programs get fewer reviews as they get older. This finding indicates that programs need to improve their reach to keep getting value.
Finally, the study highlights the need for further research, as many factors influencing hacker supply remain unknown.
Overall, the piece provides useful information about how bug bounty programs work and how they can be used to improve cybersecurity in many different fields. The results back up the idea that bug payments make it easier for everyone to get good cybersecurity skills, which is good for all companies, no matter how big or famous they are. But the study also shows how complicated the bug bounty market is and how much more research is needed to fully understand what makes hackers want to participate and file reports.