Module 11 Journal Entry Two

Posted on by

Bug bounties are a practice of companies paying unhired cybersecurity and ethical hacking professionals to find vulnerabilities in their systems and paying them based on what is found. The study focuses on two core reasons for bug bounties being used, those being that smaller companies can use the policies to make up for the current cybersecurity specialist shortage and that bug bounty policies tend to locate bugs that members of the company staff may not find. The main goal of the study was to figure out if bug bounty policies actually help all companies and not just large ones, to figure out what motivates bug bounty hunters to submit bugs to organizations, and to find out if bug bounty hunters help find vulnerabilities that the internal teams missed (Sridhar-Ng, 2021). The findings tend to show that hackers are generally not motivated by revenue but usually are more motivated by the ability to gain experience and some may just be looking to do a good deed. Younger hackers may be more eager for experience while more experienced hackers tend to lean towards monetary gain. The findings also suggest that company size and payout does not seem to significantly affect the amount of reports they receive, meaning bug bounty policies are equally effective for all companies of all sizes. This is particularly good for smaller and medium sized companies who can’t afford a large number of skilled cybersecurity professionals (Sridhar-Ng, 2021). Bug bounties are also valuable for companies regardless of industry, although industries with a higher opportunity cost for vulnerabilities tend to receive a small amount more reports than others. New programs also tend to not have much of an effect on the number of reports that companies receive and programs that companies put out tend to receive less reports over time, partially due to a lack of increased bounties. The findings also show that a large amount of variation between programs is unexplained by the factors covered in this study, those being “… revenue, brand profile, and industry…” (Sridhar-Ng, 2021), with “… scope and bug severity…” (Sridhar-Ng, 2021) being two factors that may explain these variations. Overall, bug bounty policies seem to be effective for companies of all sizes and seem to be effective for finding most vulnerabilities as well. 

Article: https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true

Leave a Reply

Your email address will not be published. Required fields are marked *