This is a great article that dives into bug bounty programs, exploring their impact on cybersecurity and shedding light on factors that influence the number of valid vulnerability reports received by these programs. It begins by dissecting the literature concerning the correlation between company revenue and bug occurrence. Larger companies boast more resources to invest in cybersecurity but also possess complex technology assets that increase the risk of cyber attacks. However, big bug bounties seem effective for larger companies and SME’s (small and medium enterprises) alike. The study then outlines the computer science literature’s consensus on the direct relationship between number of bugs and expansion of software. It explores the increasing popularity of bug bounty programs and the potential effects of new programs on competition and hacker engagement. It also employs data from HackerOne to perform regression analysis and instrumental variable strategies, aiming to address endogeneity and establish causal relationships. It examines variables like revenue, time to resolution, bounty amounts, twitter followers, industry effects, program age, etc. These findings help us to understand hacker supply elasticity, the impact of industry and company attributes, and the evolution of bug bounty programs over time.
The study discovers that hackers are relatively insensitive to monetary incentives, which indicates a non-monetary motivation (some may want to gain experience and reputation, while others may have altruistic motivations), which is good news for SME’s with limited resources. Contrary to expectations, company revenue and brand profile have an insignificant impact on vulnerability reports. Bug bounties seem to be effective for companies across sizes and levels of prominence, normalizing access to IT talent. The industry effects reveal that finance, retail, and medical sectors receive fewer vulnerability reports compared to others. This could be because of the ease of malicious monetization in finance, the high black market value of healthcare data, and the proactive security measures taken by these industries. Additionally, the study suggests that the number of new bug bounty programs doesn’t significantly impact the reports received by companies, hinting at HackerOne’s ability to recruit more hackers, It also indicates a decline in reports over time for established programs, potentially necessitating increased bounties to maintain engagement. Overall, this article contributes significantly to bug bounty program literature, by highlighting its impact and challenges.
https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true