How to Make My Bug Bounty Cost-effective? A Game-theoretical Model
Fox School of Business Research Paper
Forthcoming in Information Systems Research
77 Pages Posted: 26 Jun 2024
Date Written: July 02, 2021
Abstract
To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. While a BBP attracts external security researchers to facilitate the discovery of vulnerabilities in organizations' information technology (IT) systems, it also increases the risks after the vulnerabilities are discovered. To deal with the tradeoffs, organizations need to understand how to design an optimal bounty and evaluate the total cost of a BBP depending on several key factors. The industry is motivated to understand how the bounty and total costs are impacted by (i) the characteristics of the organization (e.g., security posture and patching complexity), (ii) security researchers (e.g., the heterogeneity among security researchers and their number), and (iii) other factors such as the legal framework surrounding the BBP. However, since there is a lack of formal analyses regarding these issues, we use game-theoretical models to shed light on relevant questions and provide several useful results and managerial insights. First, although an organization's patching complexity and the bounty act as substitutes, the relationship between security posture and the bounty is not necessarily substitutive or complementary. Furthermore, having a larger number of or more capable security researchers does not necessarily imply an increased bounty or lower total costs. Moreover, while the prevalent business belief is that an increased level of legal protection offered to the security researchers increases the cost of the BBP, we find that neither the cost of the BBP nor the offered bounty necessarily increases or decreases. This nuanced finding depends on different types of costs incurred due to the inherent vulnerability itself and costs related to possible leaks out of the BBP. Our study provides insights to security professionals, organizations, and policymakers in designing cost-effective BBPs.
Keywords: Bug bounty, crowdsourcing, IT security, vulnerability management, analytical modeling
Suggested Citation: Suggested Citation