How to Make My Bug Bounty Cost-effective? A Game-theoretical Model

To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. A bug bounty program attracts a crowd of external security researchers to search for new vulnerabilities in the IT systems. Since BBPs have started gaining prevalence, it is very important for an organization to understand how the characteristics of a crowd impact the organizations’ response and the performance of its BBP from a cost-effectiveness perspective.

To examine related questions, we use a game-theoretical model to examine several related research questions where we consider several characteristics:

(i) security researchers in the bounty program (e.g., their efficiency in discovering vulnerabilities, heterogeneity among the security researchers, and the number of security researchers),

(ii) the organization (e.g., patching time and complexities of vulnerabilities),

(iii) the dynamics of the bounty setting (i.e., the trade-offs among damage cost, bounty cost, response cost, and patching cost), and present several interesting findings.

Our findings reveal that

(i) organizations need to be strategic in designing bounties when security researchers have higher levels of efficiency depending on their roles (experts or novices).

(ii) a more effective crowd in terms of higher efficiency level or more participants may not necessarily improve the performance of BBPs in terms of reducing vulnerability discovery times and total costs. These results depend on the organization’s patching capability and the complexity of the vulnerability.

(iii) organizations with flexible patching capability also need to be strategic in adjusting patching time in response to the dynamics in a crowd. Our results provide several other insights to organizations and policymakers in designing effective bug bounty programs.