The simple economics of an external shock to a bug bounty platform

Aviram Zrahia*, Neil Gandal, Sarit Markovich, Michael Riordan

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

We first provide background on the "nuts and bolts"of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers ("ethical"hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.

Original languageEnglish (US)
Article numbertyae006
JournalJournal of Cybersecurity
Volume10
Issue number1
DOIs
StatePublished - 2024

Keywords

  • COVID-19
  • bug bounty platforms
  • exogenous shock
  • software vulnerabilities

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Social Psychology
  • Safety, Risk, Reliability and Quality
  • Political Science and International Relations
  • Computer Networks and Communications
  • Law

Fingerprint

Dive into the research topics of 'The simple economics of an external shock to a bug bounty platform'. Together they form a unique fingerprint.

Cite this