Optimal Launch Timing of Bug Bounty Programs for Software Products under Different Licensing Models

Abstract

An increasing number of software firms are utilizing bug bounty programs (BBPs) to detect bugs and enhance their product quality by leveraging the contributions of external ethical hackers. Although launching a BBP involves bounties as well as the costs of processing bug reports and fixing bugs, software firms can save failure costs and enjoy the benefits of greater user trust. The costs and benefits resulting from launching a BBP vary with launch timings and software licensing models. Hence, we investigate the optimal BBP launch strategies for software firms, using perpetual or subscription licensing models. Our findings reveal that under perpetual licensing, the firm has only two viable launch strategies: simultaneous launch, i.e., launching the software and the BBP simultaneously, and no launch. Under subscription licensing, however, delayed launch, i.e., launching the BBP later than the software release time, occurs as the optimal strategy when the failure cost is not high and the benefit of user trust is significant. Two distinct patterns in the relationship between the firm’s bug-fixing capability and its payoff are identified: a U-shaped pattern and an inverted U-shaped pattern. We uncover the conditions under which a firm should opt not to launch a BBP as its bug-fixing capability improves. This study offers insights into how firms can be motivated to launch BBPs to improve the overall reliability of their software.