A later module addresses cybersecurity policy through a social science framework.  At this point, attention can be drawn to one type of policy, known as bug bounty policies.  These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure.  To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills.  The policies relate to economics in that they are based on cost/benefits principles.  Read this articlehttps://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true and write a summary reaction to the use of the policies in your journal.  Focus primarily on the literature review and the discussion of the findings. 

According to the article, 93% of companies in the Forbes Global 2000 lack vulnerability disclosure policies (VDPs). It was also found that 25% of HackerOne’s top security researchers had withheld submitting a vulnerability out of liability fears because of the lack of a VDP. In late 2019, the US Department of Homeland Security instructed all government agencies to create a VDP. The article then goes into establishing the logic of bug bounties stating that there are two rationales for enterprise to seek out freelance hackers – one being practical and one theoretical. The first is that there is a shortage of cyber professionals in the world so it makes it difficult to find workers for certain jobs. The second being that bug bounties have enabled companies of all sizes to discover vulnerabilities that might have been overlooked. The article then lists out numerous factors that impact security researcher supply along with other bug bounty platforms such as program age, the industry, brand profile, bounty amount, time to resolution, and whether it is private or public. All of these factors play a role in determining the policies surrounding the research and also the bug bounties themselves. All of these factors are examined in the discussion section where majority of them have statistically insignificant effect on the amount of reports that companies receive. A lot of this research ties back to economic policies due to the cost/benefit principles associated with hiring bug bounties and other researchers. Each company must determine what they are comfortable spending in areas such as recruitment, technology, and consultants. Bug bounties need to be explored more as they do have some impact but their full potential is unexplored.