EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

Leting Zhang (), Emre M. Demirezen () and Subodha Kumar ()
Additional contact information
Leting Zhang: Lerner College of Business & Economics, University of Delaware, Newark, Delaware 19716
Emre M. Demirezen: Warrington College of Business, University of Florida, Gainesville, Florida 32611
Subodha Kumar: Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122

Information Systems Research, 2025, vol. 36, issue 2, 1031-1053

Abstract: To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. Whereas a BBP attracts external security researchers to facilitate the discovery of vulnerabilities in organizations’ information technology systems, it also increases the risks after the vulnerabilities are discovered. To deal with the trade-offs, organizations need to understand how to design an optimal bounty and evaluate the total cost of a BBP depending on several key factors. The industry is motivated to understand how the bounty and total costs are impacted by (i) the characteristics of the organization (e.g., security posture and patching complexity), (ii) security researchers (e.g., the heterogeneity among security researchers and their number), and (iii) other factors such as the legal framework surrounding the BBP. However, because there is a lack of formal analyses regarding these issues, we use game-theoretical models to shed light on relevant questions and provide several useful results and managerial insights. First, although an organization’s patching complexity and the bounty act as substitutes, the relationship between security posture and the bounty is not necessarily substitutive or complementary. Furthermore, having a larger number of or more capable security researchers does not necessarily imply an increased bounty or lower total costs. Moreover, whereas the prevalent business belief is that an increased level of legal protection offered to the security researchers increases the cost of the BBP, we find that neither the cost of the BBP nor the offered bounty necessarily increases or decreases. This nuanced finding depends on different types of costs incurred because of the inherent vulnerability itself and costs related to possible leaks out of the BBP. Our study provides insights to security professionals, organizations, and policymakers in designing cost-effective BBPs.

Keywords: bug bounty; crowdsourcing; IT security; vulnerability management; analytical modeling (search for similar items in EconPapers)
Date: 2025
References: Add references at CitEc
Citations:

Downloads: (external link)
http://dx.doi.org/10.1287/isre.2021.0349 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:inm:orisre:v:36:y:2025:i:2:p:1031-1053

Access Statistics for this article

More articles in Information Systems Research from INFORMS Contact information at EDIRC.
Bibliographic data for series maintained by Chris Asher ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-07-05
Handle: RePEc:inm:orisre:v:36:y:2025:i:2:p:1031-1053