Having read “Hacking for Good: Leveraging HackerOne Data to Develop an Economic Model of Bug Bounties,” my impression is that the literature review emphasizes the intersection of economics and cybersecurity and describes how bug bounty programs adopt cost–benefit logic to improve returns on investment in penetration testing. Instead of spending millions of dollars on contractual work from internal testers, organizations are able to pay ethical hackers only when they agree the penetration tester has discovered actual vulnerabilities, which is efficient and tied to incentives. The literature determines that motivations for bug bounty participation or non-participation are influenced by financial incentives, like monetary reward, as well as non-financial factors related to reputation, learning, and recognition. 

In the discussion of the findings section, the authors note that paying a large bounty advanced participation slightly, which suggests that many ethical hackers are motivated to learn new techniques or become well-known, rather than to be compensated for time spent checking for vulnerabilities. The company users that participated in the bug bounty relayed their observations aligned with the study: that bug bounties observed vulnerabilities at a higher rate, relative to multiple other contracts, and improved overall security posture. I believe that is an interesting perspective on the value of an economic incentive to align individual interests with organizations’ objectives for maintaining and improving cybersecurity. I want to note that there can also be developed trust and engagement between hackers and companies that is just as valuable as contributing financially, which frames the bug bounty policy as a novel relation or bridge between economics, ethics, and cybersecurity practice.