star twitter facebook envelope linkedin instagram youtube alert-red alert home left-quote chevron hamburger minus plus search triangle x

Study Highlights Benefits to Software Vendors of Bug Bounty Programs


Software vulnerabilities enable malicious hackers to exploit products and services, compromising systems and data security. In a new study, researchers examined bug bounty programs (BBPs), which incentivize ethical hackers to discover and sell them back to software vendors who instituted the bounty. The study’s findings highlight the potential benefits to vendors of BBPs beyond profitability.

The study, by researchers at Carnegie Mellon University and the University of Pittsburgh,  appears as a working paper.

“As cybersecurity threats evolve, vendors’ adoption of BBPs will likely gain momentum, providing a valuable tool for enhancing security posture and stakeholder trust.,” says Rahul Telang, professor of information systems at Carnegie Mellon’s Heinz College, who co-authored the study.

The virtually ubiquitous use of software has many benefits, but it also has a downside—vulnerabilities or security flaws in code that attackers can exploit, often remotely. Typically, vulnerability disclosure has been a contentious issue between ethical hackers and vendors. A unique approach to dealing with these vulnerabilities is BBPs, where software vendors allow ethical hackers to find security vulnerabilities in exchange for financial rewards, also known as bounties.

Large, well-known software vendors like Google can attract ethical hackers to discover and report bugs. However, smaller, lesser-known vendors may be unable to attract these hackers even if they establish BBPs because of high search costs. To facilitate search and matching, multi-sided platforms like HackerOne and Bugcrowd have entered the market to match software vendors with ethical hackers who hunt for bug bounties under program rules set by the vendor and operated by the platforms. These BBPs have allowed small and medium-sized vendors, who may not have succeeded in creating a viable BBP independently, to do so.

In this study, researchers used game-theoretic models to capture the strategic interactions among software vendors, ethical hackers, and malicious hackers. They also explored how BBPs influence incentives for ethical and malicious hackers to discover vulnerabilities and the potential externalities arising from their actions. They also investigated the effects of BBPs on software vendors' security incentives, focusing on how these programs affect the timing of software releases. Among the study’s findings:

  • Software vendors can increase expected profits by participating in BBPs, which helps explain their growing use among software vendors and the success of BBP platforms.

  • Vendors with BBPs release their software earlier than vendors without BBPs, albeit with more potential vulnerabilities. While this may boost the risk for software users, vendors can reduce the risk of releasing software with more bugs because ethical hackers in the BBP would find some of these vulnerabilities and would be contractually obligated to coordinate disclosure with the vendor.

  • The optimal number of ethical hackers to invite to a BBP depends solely on the expected number of malicious hackers seeking exploitation. In particular, the number of optimal ethical hackers is always less than the expected number of malicious hackers, and that number would rise as the expected number of malicious hackers increases.

  • Higher bounties incentivize ethical hackers to exert more effort, increasing the probability of discovering severe vulnerabilities first while reducing the probability of success for malicious hackers.

“Our findings highlight BBPs’ potential benefits for vendors beyond profitability,” notes Esther Gal-Or, professor of marketing at the University of Pittsburgh’s Katz Graduate School of Business, who led the study. “BBPs allow the software to be released earlier by managing risks through coordinated disclosure.”

Adds Muhammad Zia Hydari, assistant professor of business administration at the University of Pittsburgh’s Katz Graduate School of Business, who coauthored the study: “BBPs turn vulnerability identification and disclosure into new market relationships and transactions, which affects software vendors’ incentives regarding product security choices like the timing of releases.”

###


Summarized from a Working Paper, Merchants of Vulnerabilities: How Bug Bounty Programs Benefit Software Vendors, by Gal-Or, E (University of Pittsburgh), Hydari, MZ (University of Pittsburgh), and Telang, R (Carnegie Mellon University). Copyright 2024. All rights reserved.

About Heinz College of Information Systems and Public Policy
The Heinz College of Information Systems and Public Policy is home to two internationally recognized graduate-level institutions at Carnegie Mellon University: the School of Information Systems and Management and the School of Public Policy and Management. This unique colocation combined with its expertise in analytics set Heinz College apart in the areas of cybersecurity, health care, the future of work, smart cities, and arts & entertainment. In 2016, INFORMS named Heinz College the #1 academic program for Analytics Education. For more information, please visit www.heinz.cmu.edu.