Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties

Abstract

Abstract We ran a study of bug bounties, programs where gig economy security researchers are compensated for pinpointing and explaining vulnerabilities in company code bases. Bug bounty advocates have argued that they are a cost-effective means for companies of all types to shore up their security posture. Our research—which analyzes a large, proprietary dataset and which leverages instrumental variables to eliminate potential sources of endogeneity—provides empirical support for this assertion. Security researchers have a price elasticity of supply of between 0.1 and 0.2 at the median, indicating that they are largely motivated by non-pecuniary factors; a company is still able to derive utility from bug bounties even if they have a limited ability to pay security researchers. Moreover, a company’s revenue and brand profile do not have an economically significant impact on the number of valid security vulnerabilities reports its program receives. However, we found that companies in the finance, retail, and healthcare sectors are notified of fewer valid vulnerabilities, ceteris paribus, than companies in other sectors, though these estimates are not statistically significant at the 5% level. We also found no evidence that new companies joining the HackerOne platform dampen the number of reports that firms receive. Finally, we find that programs receive fewer valid reports as they grow older and bugs become harder to find. This negative age effect may be dampened if the program increases the code base available for hacking.