“Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties”, by Kiran Sridhar and Ming Ng, is a comprehensive study of the effectiveness and benefits of bug bounty programs. As described in the article, a bug bounty program is the process by which companies open up their code bases, and allow security researchers, or hackers, to investigate. Upon finding vulnerabilities or exploits, hackers can submit their findings to the host organization and receive financial compensation. These types of programs are not unique to specific organizations, however, as they are implemented in industry titans, small businesses, and government. Both public and private sector institutions use this method to weed out vulnerabilities. The article describes that “…by 2022, 50% of enterprises will employ crowdsourced cybersecurity.” (TITLE 2021) Sridhar and Ng mention Linus’s Law, which explains that with multiple eyes looking at one piece of code, all vulnerabilities are shallow, meaning they are easily identified. Later on, the article elaborates that it’s not just monetary value gained, however, and there are secondary benefits of exposure and branding, allowing hackers to make a “niche” for themselves. After studying company datasets, the researchers conclude that there are a few drawbacks to bug bounty programs. For example, programs that have been active for a while receive fewer reports, as most of the “easy fruit” has been picked already. Despite this, bug bounty is an excellent way to leverage decentralized cyber analysts in lieu of a full-time cyber security team.

Sridhar, Kiran, and Ming Ng. “Hacking for Good: Leveraging HackerOne Data to Develop an Economic Model of Bug Bounties.” Academic.Oup.Com, Journal of Cybersecuity, 22 Jan. 2021, academic.oup.com/cybersecurity/article/7/1/tyab007/6168453.