How to Make My Bug Bounty Cost-effective? A Game-theoretical Model

Fox School of Business Research Paper

Forthcoming in Information Systems Research

77 Pages Posted: 26 Jun 2024

See all articles by Leting Zhang

Leting Zhang

University of Delaware - Accounting & MIS

Emre M Demirezen

University of Florida - Information Systems and Operations Management

Subodha Kumar

Temple University - Fox School of Business

Date Written: July 02, 2021

Abstract

To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. While a BBP attracts external security researchers to facilitate the discovery of vulnerabilities in organizations' information technology (IT) systems, it also increases the risks after the vulnerabilities are discovered. To deal with the tradeoffs, organizations need to understand how to design an optimal bounty and evaluate the total cost of a BBP depending on several key factors. The industry is motivated to understand how the bounty and total costs are impacted by (i) the characteristics of the organization (e.g., security posture and patching complexity), (ii) security researchers (e.g., the heterogeneity among security researchers and their number), and (iii) other factors such as the legal framework surrounding the BBP. However, since there is a lack of formal analyses regarding these issues, we use game-theoretical models to shed light on relevant questions and provide several useful results and managerial insights. First, although an organization's patching complexity and the bounty act as substitutes, the relationship between security posture and the bounty is not necessarily substitutive or complementary. Furthermore, having a larger number of or more capable security researchers does not necessarily imply an increased bounty or lower total costs. Moreover, while the prevalent business belief is that an increased level of legal protection offered to the security researchers increases the cost of the BBP, we find that neither the cost of the BBP nor the offered bounty necessarily increases or decreases. This nuanced finding depends on different types of costs incurred due to the inherent vulnerability itself and costs related to possible leaks out of the BBP. Our study provides insights to security professionals, organizations, and policymakers in designing cost-effective BBPs.

Keywords: Bug bounty, crowdsourcing, IT security, vulnerability management, analytical modeling

Suggested Citation

Zhang, Leting and Demirezen, Emre M and Kumar, Subodha, How to Make My Bug Bounty Cost-effective? A Game-theoretical Model (July 02, 2021). Fox School of Business Research Paper, Forthcoming in Information Systems Research, Available at SSRN: https://ssrn.com/abstract=4869779 or http://dx.doi.org/10.2139/ssrn.4869779

Leting Zhang (Contact Author)

University of Delaware - Accounting & MIS ( email )

Alfred Lerner College of Business and Economics
Newark, DE 19716
United States

Emre M Demirezen

University of Florida - Information Systems and Operations Management ( email )

PO Box 117165, 201 Stuzin Hall
Gainesville, FL 32610-0496
United States

Subodha Kumar

Temple University - Fox School of Business ( email )

Philadelphia, PA 19122-____
United States

HOME PAGE: http://sites.temple.edu/subodha/

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
70
Abstract Views
210
Rank
665,348
PlumX Metrics