Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure

Abstract

Cybercrime caused by exploited vulnerabilities bears a huge burden on societies. Most of these vulnerabilities are detectable, and the damage is preventable if software vendors and firms that deploy such software adopt right practices. Bug Bounty Programs (BBPs) by vendors and intermediaries are one of the most important creations in recent years, that helps software vendors to create marketplaces and to detect and prevent such exploits. This article develops the theory of BBPs and present a typology of BBPs using established theories of incentive compatibility and mechanism design. The authors empirically analyze the market creation function of BBPs using granular data from two different types of BBPs on a popular intermediary platform. The research findings suggest that BBPs are valuable opportunities to source vulnerabilities in software; nevertheless, the rate of disclosure and hacker participation marginally increases with vendor's rewards and other incentives. Similarly, the results show that security researchers are motivated to contribute to BBPs that offer higher remuneration and not just those programs with a higher likelihood for bug discovery. Our findings will help researchers and practitioners in information security and allied domains to develop a theoretical and empirical perspective of BBPs, and their usefulness to curb incidents of cybercrime.