Abstract

Bug-bounty programs have the potential to harvest the effort and diverse knowledge of thousands of independent security researchers, but running them at scale is challenging due to misaligned incentives and misallocation of effort. In our research, we discuss these challenges in detail and present relevant empirical data. We develop an economic framework consisting of two models that focus on evaluating different policies for improving the effectiveness of bug-bounty programs. Further, we discuss regulatory-policy challenges and questions related to vulnerability research and disclosure, such as mandatory bug bounties and the relation to other cyber-security policies.