The article, “Hacking for good: Leveraging HackerOne data to develop an economic
model of Bug Bounties,” examines bug bounty programs as a component of cybersecurity policy, focusing on the cost-benefit principles underlying these policies. The literature review highlights the dual rationale for bug bounty policies: addressing the acute shortage of cybersecurity professionals and leveraging diverse, global freelance talent to uncover vulnerabilities that in-house teams might miss. By integrating theories like Linus’s Law, “Given enough eyeballs, all bugs are shallow” the article underscores the practical benefits of widening the scope of vulnerability discovery through crowdsourced cybersecurity programs. It also explores influential factors such as program age, industry complexities, and the motivation of ethical hackers, drawing on insights from the cybersecurity, economics, and computer science fields.
In the discussion of findings, the study provides empirical evidence supporting the efficacy of bug bounty programs. Notably, hackers exhibit price inelasticity, motivated by factors beyond monetary compensation, such as reputation building and altruism. This finding is crucial for small and medium enterprises (SMEs), as it shows that even with limited financial resources, they can effectively utilize bug bounty programs. Additionally, the study reveals that industry type influences vulnerability reporting, with sectors like finance and healthcare receiving fewer reports due to the high monetization potential of their vulnerabilities in black markets. Programs also face diminishing returns over time as easier bugs are resolved, but scope expansion could mitigate this effect.
The findings suggest that bug bounty policies democratize access to cybersecurity expertise, benefiting organizations of varying sizes and profiles. However, the authors acknowledge significant unexplained variation in vulnerability reporting, urging further research into overlooked factors such as program scope and bug severity. This emphasis on crowdsourced security demonstrates its growing importance within the broader cybersecurity policy framework.