Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities

16 Pages Posted: 1 Apr 2014 Last revised: 31 Mar 2016

See all articles by Andreas Kuehn

Andreas Kuehn

Syracuse University, School of Information Studies; Stanford University, Center for International Security and Cooperation; EastWest Institute, Global Cooperation in Cyberspace Initiative

Milton Mueller

Georgia Institute of Technology

Date Written: August 1, 2014

Abstract

This paper applies institutional economics theory (North, 1990) to examine the recent developments of bug bounty programs. A software vulnerability, commonly referred to as a bug, is a flaw in computer code that is an unintended consequence of design choices or mathematical errors in models. Until the bug is fixed with a software patch, it presents a security loophole and may be exploited in a cyber attack to intrude an information system. Major software companies, among them Microsoft, Adobe, and Oracle, received considerable media attention in 2013 for severe security issues. Some of their widely used applications were in danger of being exploited based on until recently unknown code vulnerabilities. Software companies have incentives to fix bugs in their software once they are discovered. The mode and degree of responsible disclosure has been a contentious issue in the information security community. In some cases, security researchers have faced legal challenges when they shared their findings with the software vendor or released such information to the public.

In recent years, major software companies significantly adapted their approach by more openly incorporating externally gathered vulnerability information. Google, Microsoft, and Facebook, for instance, created structured programs where bug hunters can submit their digital prey, in exchange for a predefined bounty. Depending on the significance and sophistication of a vulnerability, the bounty price may range from a few $100 to up to $100,000. The paper argues that bug bounty programs constitute a significant change in the way vulnerability information is systematically acquired by software vendors. Related emerging norms and practices reduce the level of uncertainty in the exchange of critical vulnerability information. The paper purports that these changes will lead to an increase in reported and fixed vulnerabilities, resulting in a more secure and reliable Internet. To examine this preposition, the paper (1) provides an analytical, historical narrative of the development of bug bounty programs and changes in related security practices (e.g., No More Free Bugs campaign, cf. Naraine, 2009); and (2) provide an in-depth institutional, comparative analysis of multiple bug bounty programs.

Institutional economics (North, 1990) and its application in the Internet domain (Mueller, 2002) provide a conceptual framework for the analysis. Institutions, “the rules of the game”, constrain and standardize the economic exchange, such as transacting software vulnerabilities. They provide theoretical explanations for the formation of bug bounty programs and address crucial issues on uncertainty (e.g., determining the legality of transactions, enforcement in case of defection) A bug, as a an information good, poses peculiar challenges to transactions, and thus accounts for higher transaction costs (cf. Arrow, 1962); institutions facilitate economic exchange despite uncertainty. To some degree institutions also deal with the paradox of the impossibility to evaluate an information good without rendering its value worthless. A potential buyer would hardly acquire a bug after s/he gained the desired knowledge upon inspection.

Building and extending upon earlier research on markets for software bugs in computer science and economics (e.g., Finifter, Akhawe, & Wagner, 2012; Moussouris, 2014; Ozment, 2004; Ransbotham, Mitra, & Ramsey, 2012), this paper takes a distinct institutional perspective to explain the emergence of bounty programs. The empirical, ongoing research is based on a comprehensive document analysis, using media coverage, security reports and grey literature. Its main focus is on the bug bounty programs operated by Microsoft and Facebook. As such, it makes a contribution to the larger debate on responsible disclosure of software vulnerabilities and further informs the current policy debate on the regulation of zero-day exploits.

Keywords: information security, cybersecurity, institutional economics, markets, software vulnerabilities, zero-day exploits, comparative analysis

Suggested Citation

Kuehn, Andreas and Mueller, Milton, Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities (August 1, 2014). 2014 TPRC Conference Paper, Available at SSRN: https://ssrn.com/abstract=2418812 or http://dx.doi.org/10.2139/ssrn.2418812

Andreas Kuehn (Contact Author)

Syracuse University, School of Information Studies ( email )

Hinds Hall
Syracuse, NY 13244
United States

Stanford University, Center for International Security and Cooperation

Stanford, CA 94305
United States

EastWest Institute, Global Cooperation in Cyberspace Initiative

New York, NY 10017
United States

Milton Mueller

Georgia Institute of Technology ( email )

School of Public Policy
Atlanta, GA 30332
United States
404-385-4281 (Phone)

HOME PAGE: http://www.spp.gatech.edu/faculty/milt

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
715
Abstract Views
2,616
rank
39,884
PlumX Metrics