How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

References

• Ales L, Cho SH, Körpeoğlu E (2016) Optimal award scheme in innovation tournaments. Oper. Res. 65(3):693–702.Link, Google Scholar
• Ales L, Cho S, Körpeoğlu E (2019) Innovation and crowdsourcing contests. Hu M, ed. Sharing Economy: Making Supply Meet Demand, Springer Series in Supply Chain Management (Springer, Cham, Switzerland), 379–406.Crossref, Google Scholar
• Ales L, Cho SH, Körpeoğlu E (2021) Innovation tournaments with multiple contributors. Production Oper. Management 30(6):1772–1784.Crossref, Google Scholar
• Anderson R, Moore T (2006) The economics of information security. Science 314(5799):610–613.Crossref, Google Scholar
• Andress J, Leary M (2016) Building a Practical Information Security Program (Syngress, Rockland, MA).Google Scholar
• Archak N, Sundararajan A (2009) Optimal design of crowdsourcing contests. Internat. Conf. Inform. Systems (ICIS) 2009 Proc. (Association for Information Systems Electronic Library, Atlanta), 200.Google Scholar
• Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.Link, Google Scholar
• Arrow SA, Newman CA (2018) Part II: Hidden costs of bug bounty programs. Accessed May 8, 2024, pbwt.com/data-security-law-blog/part-ii-hidden-costs-of-bug-bounty-programs.Google Scholar
• August T, Niculescu MF (2013) The influence of software process maturity and customer error reporting on software release and pricing. Management Sci. 59(12):2702–2726.Link, Google Scholar
• August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.Link, Google Scholar
• Barillon T (2019) Comprehensive vulnerability management in connected security solutions. Accessed May 8, 2024, securityintelligence.com/comprehensive-vulnerability-management-in-connected-security-solutions/.Google Scholar
• Barrett M (2018) Framework for improving critical infrastructure cybersecurity version 1.1. NIST Cybersecurity Framework. Accessed August 12, 2024, https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf.Google Scholar
• Boudreau KJ, Lacetera N, Lakhani KR (2011) Incentives and problem uncertainty in innovation contests: An empirical analysis. Management Sci. 57(5):843–863.Link, Google Scholar
• Bugcrowd (2015) This is why companies are afraid of bug bounties. Accessed May 8, 2024, forum.bugcrowd.com/t/this-is-why-companies-are-afraid-of-bug-bounties/813.Google Scholar
• Bugcrowd (2020) Bugcrowd study reveals 65% increase in discovery of high-risk vulnerabilities in 2020 amid COVID-19 pandemic. Accessed May 8, 2024, www.bugcrowd.com/press-release/bugcrowd-study-reveals-65-increase-in-discovery-of-high-risk-vulnerabilities-in-2020-amid-covid-19-pandemic/.Google Scholar
• Business Research Insights (2023) Bug bounty platform market size, share, growth, and industry analysis, by type (cloud, SaaS web, mobile-android native, mobile-iOS native, host), by application (finance & banking, software development, retail, government, other), regional forecast by 2031. Technical report. Accessed May 8, 2024, businessresearchinsights.com/market-reports/bug-bounty-platforms-market-102501.Google Scholar
• Campbell M (2021) Apple fails to patch publicly disclosed zero-day flaws with iOS 15.0.1. Accessed May 8, 2024, https://appleinsider.com/articles/21/10/01/apple-fails-to-patch-publicly-disclosed-zero-day-flaws-with-ios-1501.Google Scholar
• Cassin H (2020) Are “bug bounties” the next big thing for compliance? Accessed May 8, 2024, fcpablog.com/2020/09/28/are-bug-bounties-the-next-big-thing-for-compliance/.Google Scholar
• Cavalancia N (2020) Vulnerability management explained. Accessed May 8, 2024, cybersecurity.att.com/blogs/security-essentials/vulnerability-management-explained.Google Scholar
• Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3):171–185.Crossref, Google Scholar
• Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: Share the burden or share the damage? Management Sci. 54(4):657–670.Link, Google Scholar
• Cezar A, Cavusoglu H, Raghunathan S (2014) Outsourcing information security: Contracting issues and security implications. Management Sci. 60(3):638–657.Link, Google Scholar
• Chickowski E (2022) Why bug-bounty programs are failing everyone. Accessed May 8, 2024, darkreading.com/black-hat/why-bug-bounty-programs-failing-everyone.Google Scholar
• Comeau Z (2021) Report: Remote work makes patch management much harder. Accessed May 8, 2024, mytechdecisions.com/it-infrastructure/report-remote-work-makes-patch-management-much-harder/.Google Scholar
• Crews P, Kuszmaul W, Penkov P (2018) To disclose or not disclose: The ethics of vulnerability disclosure. Accessed May 8, 2024, medium.com/@ptcrews/to-disclose-or-not-disclose-the-ethics-of-vulnerability-disclosure-aaf09c1ab4b0.Google Scholar
• Davis J (2017) Slow breach detection. Patching, operational snags handcuff healthcare security. Accessed May 8, 2024, healthcareitnews.com/news/slow-breach-detection-patching-operational-snags-handcuff-healthcare-security.Google Scholar
• Demirezen EM, Kumar S, Shetty B (2020) Two is better than one: A dynamic analysis of value co-creation. Production Oper. Management 29(9):2057–2076.Crossref, Google Scholar
• Dempsey K, Chawla NS, Johnson A, Johnson R, Jones AC, Orebaugh A, Scholl M, Stine K (2012) Information security. NIST special publication. Accessed May 8, 2024, dl.acm.org/citation.cfm?id=2408290.Google Scholar
• Department of Justice (2022) Department of Justice announces new policy for charging cases under the Computer Fraud and Abuse Act. Accessed May 8, 2024, justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act.Google Scholar
• Dey D, Ghoshal A, Lahiri A (2022) Circumventing circumvention: An economic analysis of the role of education and enforcement. Management Sci. 68(4):2914–2931.Link, Google Scholar
• Duckett C (2022) Zoom patches XMPP vulnerability chain that could lead to remote code execution. Accessed May 8, 2024, zdnet.com/article/zoom-patches-xmpp-vulnerability-chain-that-could-lead-to-remote-code-execution/.Google Scholar
• Elazari A (2018) The law and economics of bug bounties. Accessed May 8, 2024, usenix.org/sites/default/files/conference/protected-files/security18_slides_elazari.pdf.Google Scholar
• Ellis C (2021) NIST: Vulnerability disclosure as a requirement for every organization. Accessed May 8, 2024, www.bugcrowd.com/blog/nist-vulnerability-disclosure-as-a-requirement-for-every-organization/.Google Scholar
• Fruhlinger J (2020) Top cybersecurity facts, figures and statistics for 2020. Accessed May 8, 2024, csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html.Google Scholar
• Fryer H, Simperl E (2017) Web science challenges in researching bug bounties. Proc. 2017 ACM Web Sci. Conf. (Association for Computing Machinery, New York), 273–277.Google Scholar
• Gamero-Garrido A, Savage S, Levchenko K, Snoeren AC (2017) Quantifying the pressure of legal risks on third-party vulnerability research. Proc. 2017 ACM SIGSAC Conf. Comput. Comm. Security (Association for Computing Machinery, New York), 1501–1513.Google Scholar
• Geiger H (2021) Proposed security researcher protection under CFAA. Accessed May 8, 2024, rapid7.com/blog/post/2021/06/04/proposed-security-researcher-protection-under-cfaa-2/.Google Scholar
• Giboney JS, Proudfoot JG, Goel S, Valacich JS (2016) The security expertise assessment measure (SEAM): Developing a scale for hacker expertise. Comput. Security 60:37–51.Crossref, Google Scholar
• GitHub (2021) Seven years of the GitHub security bug bounty program. Accessed May 8, 2024, github.blog/2021-06-25-seven-years-github-security-bug-bounty-program/.Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.Crossref, Google Scholar
• Graves SB, Langowitz NS (1993) Innovative productivity and returns to scale in the pharmaceutical industry. Strategic Management J. 14(8):593–605.Crossref, Google Scholar
• Greig J (2022) DOJ: Congress looked into CFAA updates but effort was stalled by extortion concerns. Accessed May 8, 2024, therecord.media/doj-congress-looked-into-cfaa-updates-but-effort-was-stalled-by-extortion-concerns.Google Scholar
• HackerOne (2011) Vulnerability disclosure—What’s the responsible solution? Accessed May 8, 2024, https://www.hackerone.com/vulnerability-disclosure/vulnerability-disclosure-whats-responsible-solution.Google Scholar
• HackerOne (2019) Using bug bounty talent pools to attract and maintain top talent. Accessed May 8, 2024, hackerone.com/blog/using-bug-bounty-talent-pools-attract-and-maintain-top-talent.Google Scholar
• HackerOne (2023) 5 common mistakes when running a bug bounty program. Accessed May 8, 2024, https://www.hackerone.com/vulnerability-management/common-bug-bounty-program-mistakes.Google Scholar
• Hammond A (2021) 5 ways to maximise hacker participation in your bug bounty program. Accessed May 8, 2024, blog.intigriti.com/2021/08/02/maximise-ethical-hacker-participation-bug-bounty-program/.Google Scholar
• Harper J (2023) DDS rolls out new website to help pentagon scale bug bounties, attract cyber talent. Accessed May 8, 2024, defensescoop.com/2023/03/30/dds-rolls-out-new-website-to-help-pentagon-scale-bug-bounties-attract-cyber-talent/.Google Scholar
• Harrington T (2021) Why a skills shortage is one of the biggest security challenges for companies. Accessed May 8, 2024, resources.infosecinstitute.com/topic/why-a-skills-shortage-is-one-of-the-biggest-security-challenges-for-companies/.Google Scholar
• Hata H, Guo M, Babar MA (2017) Understanding the heterogeneity of contributors in bug bounty programs. Proc. 11th ACM/IEEE Internat. Sympos. Empirical Software Engrg. Measurement (IEEE, Piscataway, NJ), 223–228.Google Scholar
• Haworth J (2021) When vulnerability disclosure goes sour: New GitHub repo details legal threats and risks faced by ethical hackers. Accessed May 8, 2024, portswigger.net/daily-swig/when-vulnerability-disclosure-goes-sour-github-repo-details-legal-threats-and-risks-faced-by-ethical-hackers.Google Scholar
• Haynes A, Sadeghipour B (2021) Crowdsourced bug bounty programs: Security gains vs. potential losses. Accessed May 8, 2024, infosecurity-magazine.com/magazine-features/crowdsourced-bug-bounty-programs/.Google Scholar
• Hui KL, Ke PF, Yao Y, Yue WT (2019) Bilateral liability-based contracts in information security outsourcing. Inform. Systems Res. 30(2):411–429.Link, Google Scholar
• Ji YH, Kumar S, Mookerjee V (2016) When being hot is not cool: Monitoring hot lists for information security. Inform. Systems Res. 27(4):897–918.Link, Google Scholar
• Khalid QM (2023) Unveiling the dark side of bug bounty programs: A cautionary tale. Accessed May 8, 2024, medium.com/@qaafqasim/unveiling-the-dark-side-of-bug-bounty-programs-a-cautionary-tale-108b0b163959.Google Scholar
• Körpeoğlu E, Cho SH (2018) Incentives in contests with heterogeneous solvers. Management Sci. 64(6):2709–2715.Link, Google Scholar
• Korpeoglu C, Korpeoglu E, Tunç S (2021) Optimal duration of innovation contests. Manufacturing Service Oper. Management 23(3):657–675.Link, Google Scholar
• Kumar S, Mallipeddi RR (2022) Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions. Production Oper. Management 31(12):4488–4500.Google Scholar
• Laszka A, Zhao M, Malbari A, Grossklags J (2018) The rules of engagement for bug bounty programs. Internat. Conf. Financial Cryptography Data Security (Springer, Berlin, Heidelberg), 138–159.Crossref, Google Scholar
• Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.Link, Google Scholar
• Lee CH, Geng X, Raghunathan S (2016) Mandatory standards and organizational information security. Inform. Systems Res. 27(1):70–86.Link, Google Scholar
• Lemos R (2021) Bug bounties surge as firms compete for talent. Accessed May 8, 2024, darkreading.com/application-security/bug-bounties-surge-as-firms-compete-for-talent.Google Scholar
• Lemos R (2022) Zoom’s bug bounty programs soar to $1.8M. Accessed May 8, 2024, darkreading.com/application-security/zoom-s-bug-bounty-programs-soars-to-1-8-million.Google Scholar
• Lynch K (2021) Supreme Court offers justice for cybersecurity threat hunters options. Accessed May 8, 2024, mimecast.com/blog/supreme-court-offers-justice-for-cybersecurity-threat-hunters/.Google Scholar
• Malladi SS, Subramanian H (2019) Bug bounty programs for cybersecurity: Practices, issues, and recommendations. IEEE Software 37(1):31–39.Crossref, Google Scholar
• Marino A (2020) How the commercialization of bug bounties is creating more vulnerabilities. Accessed May 8, 2024, bit.ly/3pxQDJb.Google Scholar
• Moldovanu B, Sela A (2001) The optimal allocation of prizes in contests. Amer. Econom. Rev. 91(3):542–558.Crossref, Google Scholar
• Mumtaz S, Rodriguez C, Zamanirad S (2020) Security professional skills representation in bug bounty programs and processes. Internat. Conf. Service-Oriented Comput. (Springer-Verlag, Berlin, Heidelberg), 334–348.Google Scholar
• Muncaster P (2022) Global security spending set to hit $198bn by 2025. Accessed May 8, 2024, infosecurity-magazine.com/news/global-security-spending-set-198bn/.Google Scholar
• National Institute of Standards and Technology (2014) Framework for improving critical infrastructure cybersecurity: Version 1.0. NIST Cybersecurity Framework. Accessed August 12, 2024, https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf.Google Scholar
• National Institute of Standards and Technology (2020) Security and privacy controls for information systems and organizations. Accessed August 12, 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.Google Scholar
• Neumann J, Hudson D (2021) Beware the bug bounty. Accessed May 8, 2024, www.darkreading.com/vulnerabilities-threats/beware-the-bug-bounty.Google Scholar
• Nidecki TA (2023) Ethical hacking vs. the law—Will you get arrested for a good deed? Accessed May 8, 2024, alturl.com/354fz.Google Scholar
• O’Donnell L (2018) Newsmaker interview: Katie Moussouris on improving bug bounty programs. Accessed May 8, 2024, alturl.com/k9agn.Google Scholar
• Owens C (2018) Low hanging fruit often abused by red teams. Accessed May 8, 2024, bit.ly/3irIogy.Google Scholar
• Petersen C (2019) A CTO’s take on the security operations maturity model. Accessed May 8, 2024, bit.ly/3v5U37f.Google Scholar
• Pfefferkorn R (2020) The importance of protecting good-faith security research. Accessed May 8, 2024, cyberlaw.stanford.edu/blog/2020/09/importance-protecting-good-faith-security-research.Google Scholar
• Porup J (2018) Bug bounties offer legal safe harbor. Right? Right?—CSO Online. Accessed May 8, 2024, https://www.csoonline.com/article/565995/bug-bounties-offer-legal-safe-harbor-right-right.html#:∼:text=Hackers%20engaging%20in%20good%2Dfaith,to%20that%20question%20is%20no.Google Scholar
• Ransbotham S, Ramsey J (2012) Are markets for vulnerabilities effective? Management Inform. Systems Quart. 36(1):43–64.Crossref, Google Scholar
• Raymond E (1999) The cathedral and the bazaar. Knowledge Tech. Policy 12(3):23–49.Crossref, Google Scholar
• Robinson RM (2017) Back to basics: Six simple strategies to strengthen your security posture. Accessed May 8, 2024, securityintelligence.com/back-to-basics-six-simple-strategies-to-strengthen-your-security-posture/.Google Scholar
• Roels G, Karmarkar US, Carr S (2010) Contracting for collaborative services. Management Sci. 56(5):849–863.Link, Google Scholar
• Sardaryzadeh A (2023) Security researchers battle against the DMCA. Accessed May 8, 2024, sites.duke.edu/thefinregblog/2023/04/05/security-researchers-battle-against-the-dmca/.Google Scholar
• Sauter V (2020) What’s at stake in the Computer Fraud and Abuse Act. Accessed May 8, 2024, helpnetsecurity.com/2020/12/14/cfaa-computer-fraud-and-abuse-act/.Google Scholar
• Schechter S (2002) How to buy better testing using competition to get the most security and robustness for your dollar. Davida G, Frankel Y, Rees O, eds. Infrastructure Security. InfraSec 2002, Lecture Notes in Computer Science (Springer, Berlin, Heidelberg), 73–87.Google Scholar
• Schulz S (2023) 5 reasons bug bounty programs fail & how to overcome pitfalls. Accessed May 8, 2024, gogetsecure.com/why-bug-bounty-programs-fail/.Google Scholar
• Sen S (2021) Microsoft accused of slashing bug bounty rewards by up to 90% allege security researchers. Neowin. Accessed May 8, 2024, neowin.net/news/microsoft-accused-of-slashing-bug-bounty-rewards-by-up-to-90-allege-security-researchers/.Google Scholar
• Sen R, Choobineh J, Kumar S (2020) Determinants of software vulnerability disclosure timing. Production Oper. Management 29(11):2532–2552.Crossref, Google Scholar
• Shein E (2022) Small and midsize businesses can mitigate security risks with patch management. Accessed May 8, 2024, computerworld.com/article/3651450/small-and-midsize-businesses-can-mitigate-security-risks-with-patch-management.html.Google Scholar
• Smalley S (2022) DOJ changes to CFAA guidance are overhyped, lawyers say. Accessed May 8, 2024, cyberscoop.com/department-of-justice-cfaa-policy-change-overhyped/.Google Scholar
• Souppaya M, Scarfone K (2022) Guide to enterprise patch management planning: Preventive maintenance for technology. Accessed August 12, 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf.Google Scholar
• Sridhar K, Ng M (2021) Hacking for good: Leveraging HackerOne data to develop an economic model of bug bounties. J. Cybersecurity 7(1):1–9.Crossref, Google Scholar
• Statista (2021) Industry share of bug bounty programs worldwide in 2020. Accessed May 8, 2024, statista.com/statistics/1051970/worldwide-bug-bounty-program-industry/.Google Scholar
• Storm D (2015) United Airlines waits 6 months to patch critical flaw submitted to bug bounty program. Accessed May 8, 2024, computerworld.com/article/3007305/united-airlines-waits-6-months-to-patch-critical-flaw-submitted-to-bug-bounty-program.html.Google Scholar
• Stouras KI, Hutchison-Krupat J, Chao RO (2021) The role of participation in innovation contests. Management Sci. 68(6):4135–4150.Link, Google Scholar
• The Express Wire (2023) Bug bounty platforms market 2023| Latest trends, growth, revenue, share, price, regional analysis, and forecast to 2028. Accessed May 8, 2024, https://www.digitaljournal.com/pr/news/bug-bounty-platforms-market-2023-latest-trends-growth-revenue-share-price-regional-analysis-and-forecast-to-2028.Google Scholar
• Terwiesch C, Xu Y (2008) Innovation contests, open innovation, and multiagent problem solving. Management Sci. 54(9):1529–1543.Link, Google Scholar
• Votipka D, Stevens R, Redmiles E, Hu J, Mazurek M (2018) Hackers vs. testers: A comparison of software vulnerability discovery processes. Proc. IEEE Sympos. Security Privacy (IEEE, Piscataway, NJ), 374–391.Google Scholar
• Walshe T, Simpson A (2020) An empirical study of bug bounty programs. Proc. 2020 IEEE Second Internat. Workshop Intelligent Bug Fixing (IEEE, Piscataway, NJ), 35–44.Google Scholar
• Whittaker Z (2018) Equifax breach was “entirely preventable” had it used basic security measures, says house report. Accessed May 8, 2024, tcrn.ch/3glngWf.Google Scholar
• Wolff J (2022) The government finally figured out what hackers are the good guys. Accessed May 8, 2024, slate.com/technology/2022/05/cfaa-justice-department-policy-update.html.Google Scholar
• Xie H, Lui JC, Jiang JW, Chen W (2014) Incentive mechanism and protocol design for crowdsourcing systems. 52nd Annual Allerton Conf. Comm. Control Comput. (IEEE, Piscataway, NJ), 140–147.Google Scholar
• Xu T (2020) Bug bounties: An overview. Accessed May 8, 2024, builtin.com/software-engineering-perspectives/bug-bounty-hunting.Google Scholar
• Zhang S, Singh PV, Ghose A (2019) A structural analysis of the role of superstars in crowdsourcing contests. Inform. Systems Res. 30(1):15–33.Link, Google Scholar
• Zhao M, Laszka A, Grossklags J (2017) Devising effective policies for bug-bounty platforms and security vulnerability discovery. J. Inform. Policy 7:372–418.Crossref, Google Scholar