What is a Bug bounty program? According to the hackerone.com site, it is an opportunity for ethical hackers to employ their skills and discover vulnerabilities or bugs in an application in exchange for a monetary reward. Bug bounty program has become an increasingly significant cybersecurity strategy. Its policies invite ethical hackers to use their penetration testing skills and explore the company’s systems, which in an essence blends economic principles of cost-benefit analysis with cybersecurity needs. Journal article “Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties“ highlights their findings through comprehensive analysis of these programs.

The article evaluates the efficiency of these programs against a dataset provided by HackerOne which contains hundreds of companies and industries. What does this mean from an economic point of view? It means that these policies allow companies to detect and fix vulnerabilities at a more affordable cost. Additionally, it provides an opportunity for ethical hackers to not only gain monetary rewards, but other things such as experience and reputation. As a matter of fact, the study shows that “hacker supply is price inelastic”. It means that new and inexperienced hackers are motivated not by money, but rather other factors as mentioned above. Senior hackers, on the other hand, are more responsive to high monetary opportunities. The research also shows that the size of the company and its revenue do not have an important impact on the number of valid reports they get. It goes to show a flexibility of bug bounty programs and how useful they can be for companies of all sizes. 

Although, size of the company, as demonstrated by the article, may not play a role, the industry does. Fewer valid reports are received by companies in the financial and retail sectors due to their higher opportunity costs and preemptive cybersecurity measures. Companies in the medical sector also receive fewer reports. 

The number of reports that existing programs receive is not decreased by the introduction of new bug bounty programs. This further proves that HackerOne is successfully attracting more hackers and sustaining their interest. Older programs tend to receive fewer valid reports, thus proving the increase in bounties in order to retain hacker interest. Valid vulnerabilities are still found in such older programs. It is not fully explained which factors affect the number of valid reports. Part of this variation might be explained by variables not considered in the research study, such as the scope of a program or the severity of a bug.

Bug bounty policies are one such tool in the search for cyber security vulnerabilities if complemented with monetary incentives among other motivations. This is an inexpensive technique applicable to any company, irrespective of its size and domain. Nevertheless, it can’t guarantee its effectiveness in the long run without changing its strategies on reward allocations. Therefore, this paper calls for an understanding of the motivators behind hacker participation and its effectiveness in ensuring bug bounty programs work to strengthen cybersecurity.

Reference

Sridhar, K., & Ng, M. (2021). Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties. Journal of Cybersecurity, 7(1). https://doi.org/10.1093/cybsec/tyab007

HackerOne. (n.d.). HackerOne. https://hackerone.com/bug-bounty-programs