IDEAS home Printed from https://ideas.repec.org/a/cai/reidbu/rei_172_0083.html
   My bibliography  Save this article

Hackers’ self-selection in crowdsourced bug bounty programs

Author

Listed:
  • Arrah-Marie Jo

Abstract

A bug bounty program, also known as a Vulnerability Research Program (VRP), is a form of crowdsourcing increasingly used by companies to improve their system security. It involves offering monetary rewards to individuals that find new security flaws in a piece of software or a system. One of the key challenges in the design of such contests is to attract enough participants of a high standard. In this paper, we study how hackers’ perception of the uncertainty of obtaining a reward, determined by the level of information a contest provides about the contractual terms, affects the outcome of the contest both quantitatively (the number of participations) and qualitatively (participant skill and experience). Specifically, we examine how a hacker’s choice to participate in a VRP depends on this level of information. Using an unbalanced panel data set on 156 bug bounty programs run on a well-known bug bounty platform, we find that a more detailed contest policy and in particular more information about the compensation scheme attracts a greater number of participants. On the contrary, providing less detail induces less participation but attracts more skilled and more experienced hackers. Hackers self-select whether to participate in a VRP according to the level of information about the contest’s contractual terms, which leads to a trade-off between inducing higher rates of participation and attracting more valuable participants.

Suggested Citation

  • Arrah-Marie Jo, 2020. "Hackers’ self-selection in crowdsourced bug bounty programs," Revue d'économie industrielle, De Boeck Université, vol. 0(4), pages 83-132.
    • Handle: RePEc:cai:reidbu:rei_172_0083
    as

    Download full text from publisher

    File URL: http://www.cairn.info/load_pdf.php?ID_ARTICLE=REI_172_0083
    Download Restriction: free
    File URL: http://www.cairn.info/revue-d-economie-industrielle-2020-4-page-83.htm
    Download Restriction: free
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:cai:reidbu:rei_172_0083. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Jean-Baptiste de Vathaire (email available below). General contact details of provider: https://www.cairn.info/revue-d-economie-industrielle.htm .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.