Abstract
We first provide background on the "nuts and bolts"of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers ("ethical"hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.
Original language | English (US) |
---|---|
Article number | tyae006 |
Journal | Journal of Cybersecurity |
Volume | 10 |
Issue number | 1 |
DOIs | |
State | Published - 2024 |
Keywords
- COVID-19
- bug bounty platforms
- exogenous shock
- software vulnerabilities
ASJC Scopus subject areas
- Computer Science (miscellaneous)
- Social Psychology
- Safety, Risk, Reliability and Quality
- Political Science and International Relations
- Computer Networks and Communications
- Law