EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Merchants of Vulnerabilities: How Bug Bounty Programs Benefit Software Vendors

Esther Gal-Or, Muhammad Hydari and Rahul Telang

Papers from arXiv.org

Abstract: Software vulnerabilities enable exploitation by malicious hackers, compromising systems and data security. This paper examines bug bounty programs (BBPs) that incentivize ethical hackers to discover and responsibly disclose vulnerabilities to software vendors. Using game-theoretic models, we capture the strategic interactions between software vendors, ethical hackers, and malicious hackers. First, our analysis shows that software vendors can increase expected profits by participating in BBPs, explaining their growing adoption and the success of BBP platforms. Second, we find that vendors with BBPs will release software earlier, albeit with more potential vulnerabilities, as BBPs enable coordinated vulnerability disclosure and mitigation. Third, the optimal number of ethical hackers to invite to a BBP depends solely on the expected number of malicious hackers seeking exploitation. This optimal number of ethical hackers is lower than but increases with the expected malicious hacker count. Finally, higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers. These findings highlight BBPs' potential benefits for vendors beyond profitability. Earlier software releases are enabled by managing risks through coordinated disclosure. As cybersecurity threats evolve, BBP adoption will likely gain momentum, providing vendors with a valuable tool for enhancing security posture and stakeholder trust. Moreover, BBPs envelop vulnerability identification and disclosure into new market relationships and transactions, impacting software vendors' incentives regarding product security choices like release timing.

Date: 2024-04
New Economics Papers: this item is included in nep-gth
References: View references in EconPapers View complete reference list from CitEc
Citations:

Downloads: (external link)
http://arxiv.org/pdf/2404.17497 Latest version (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:arx:papers:2404.17497

Access Statistics for this paper

More papers in Papers from arXiv.org
Bibliographic data for series maintained by arXiv administrators (help@arxiv.org).

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to econpapers@oru.se.

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-30
Handle: RePEc:arx:papers:2404.17497