IDEAS home Printed from https://ideas.repec.org/p/arx/papers/2509.16655.html
   My bibliography  Save this paper

Incentives and Outcomes in Bug Bounties

Author

Listed:
  • Serena Wang
  • Martino Banchio
  • Krzysztof Kotowicz
  • Katrina Ligett
  • R. Preston McAfee
  • Eduardo' Vela'' Nava

Abstract

Bug bounty programs have contributed significantly to security in technology firms in the last decade, but little is known about the role of reward incentives in producing useful outcomes. We analyze incentives and outcomes in Google's Vulnerability Rewards Program (VRP), one of the world's largest bug bounty programs. We analyze the responsiveness of the quality and quantity of bugs received to changes in payments, focusing on a change in Google's reward amounts posted in July, 2024, in which reward amounts increased by up to 200% for the highest impact tier. Our empirical results show an increase in the volume of high-value bugs received after the reward increase, for which we also compute elasticities. We further break down the sources of this increase between veteran researchers and new researchers, showing that the reward increase both redirected the attention of veteran researchers and attracted new top security researchers into the program.

Suggested Citation

  • Serena Wang & Martino Banchio & Krzysztof Kotowicz & Katrina Ligett & R. Preston McAfee & Eduardo' Vela'' Nava, 2025. "Incentives and Outcomes in Bug Bounties," Papers 2509.16655, arXiv.org.
    • Handle: RePEc:arx:papers:2509.16655
    as

    Download full text from publisher

    File URL: http://arxiv.org/pdf/2509.16655
    File Function: Latest version
    Download Restriction: no
    ---><---

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:arx:papers:2509.16655. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: arXiv administrators (email available below). General contact details of provider: http://arxiv.org/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.