In a journal article written by Kiran Sridhar and Ming Ng, they extensively discussed the benefits of hacking and the use of bug bounties. Bug bounties are programs where gig economy security researchers are paid for identifying and explaining vulnerabilities in company codebases (Sridhar and Ng). They operate on a cost-benefit basis, and since firms only pay for results, this approach is more efficient than hiring full-time security staff. In their experiment, they aimed to determine how cost-effective this model truly is by examining HackerOne’s prosperity dataset.

Their findings revealed a price elasticity of 0.1 to 0.2 (Sridhar and Ng). This indicates that hackers are motivated by factors beyond monetary gain, such as reputation, intelligence, or excitement, as discussed in a previous journal entry. This shows that incentives do not need to be extremely high, as low-paying programs still attract skilled professionals. The size and brand of a company did not influence the number of reports received, nor did newer programs diminish the value of older ones, according to their research.

In conclusion, this journal article demonstrates how effective bug bounty programs can be, even without high monetary rewards or the latest software being used. While using updated software would be advantageous, it is not always a mandatory requirement. The authors noted that there is still much to learn about bug bounty markets and how they properly operate. Although research is still ongoing, bug bounties appear to be a promising and cost-efficient strategy in the field of cybersecurity.

References

Sridhar, Kiran, and Ming Ng. “Hacking for good: Leveraging hackerone data to develop an economic model of Bug Bounties.” Journal of Cybersecurity, vol. 7, no. 1, 1 Jan. 2021, https://doi.org/10.1093/cybsec/tyab007.