IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v36y2025i2p1031-1053.html
   My bibliography  Save this article

How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

Author

Listed:
  • Leting Zhang

    (Lerner College of Business & Economics, University of Delaware, Newark, Delaware 19716)

  • Emre M. Demirezen

    (Warrington College of Business, University of Florida, Gainesville, Florida 32611)

  • Subodha Kumar

    (Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122)

Abstract

To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. Whereas a BBP attracts external security researchers to facilitate the discovery of vulnerabilities in organizations’ information technology systems, it also increases the risks after the vulnerabilities are discovered. To deal with the trade-offs, organizations need to understand how to design an optimal bounty and evaluate the total cost of a BBP depending on several key factors. The industry is motivated to understand how the bounty and total costs are impacted by (i) the characteristics of the organization (e.g., security posture and patching complexity), (ii) security researchers (e.g., the heterogeneity among security researchers and their number), and (iii) other factors such as the legal framework surrounding the BBP. However, because there is a lack of formal analyses regarding these issues, we use game-theoretical models to shed light on relevant questions and provide several useful results and managerial insights. First, although an organization’s patching complexity and the bounty act as substitutes, the relationship between security posture and the bounty is not necessarily substitutive or complementary. Furthermore, having a larger number of or more capable security researchers does not necessarily imply an increased bounty or lower total costs. Moreover, whereas the prevalent business belief is that an increased level of legal protection offered to the security researchers increases the cost of the BBP, we find that neither the cost of the BBP nor the offered bounty necessarily increases or decreases. This nuanced finding depends on different types of costs incurred because of the inherent vulnerability itself and costs related to possible leaks out of the BBP. Our study provides insights to security professionals, organizations, and policymakers in designing cost-effective BBPs.

Suggested Citation

  • Leting Zhang & Emre M. Demirezen & Subodha Kumar, 2025. "How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model," Information Systems Research, INFORMS, vol. 36(2), pages 1031-1053, June.
    • Handle: RePEc:inm:orisre:v:36:y:2025:i:2:p:1031-1053
    DOI: 10.1287/isre.2021.0349
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2021.0349
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2021.0349?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:36:y:2025:i:2:p:1031-1053. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.