EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Hackers’ self-selection in crowdsourced bug bounty programs

Arrah-Marie Jo

Revue d'économie industrielle, 2020, vol. n° 172, issue 4, 83-132

Abstract: A bug bounty program, also known as a Vulnerability Research Program (VRP), is a form of crowdsourcing increasingly used by companies to improve their system security. It involves offering monetary rewards to individuals that find new security flaws in a piece of software or a system. One of the key challenges in the design of such contests is to attract enough participants of a high standard. In this paper, we study how hackers’ perception of the uncertainty of obtaining a reward, determined by the level of information a contest provides about the contractual terms, affects the outcome of the contest both quantitatively (the number of participations) and qualitatively (participant skill and experience). Specifically, we examine how a hacker’s choice to participate in a VRP depends on this level of information. Using an unbalanced panel data set on 156 bug bounty programs run on a well-known bug bounty platform, we find that a more detailed contest policy and in particular more information about the compensation scheme attracts a greater number of participants. On the contrary, providing less detail induces less participation but attracts more skilled and more experienced hackers. Hackers self-select whether to participate in a VRP according to the level of information about the contest’s contractual terms, which leads to a trade-off between inducing higher rates of participation and attracting more valuable participants.

Keywords: uncertainty; bug bounty program; crowdsourcing; vulnerability discovery; innovation contest; contract-related incentives; self-selection effect; hackers (search for similar items in EconPapers)
Date: 2020
References: Add references at CitEc
Citations:

Downloads: (external link)
http://www.cairn.info/load_pdf.php?ID_ARTICLE=REI_172_0083 (application/pdf)
http://www.cairn.info/revue-d-economie-industrielle-2020-4-page-83.htm (text/html)
free

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:cai:reidbu:rei_172_0083

Access Statistics for this article

More articles in Revue d'économie industrielle from De Boeck Université
Bibliographic data for series maintained by Jean-Baptiste de Vathaire ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:cai:reidbu:rei_172_0083