TY - JOUR
T1 - The simple economics of an external shock to a bug bounty platform
AU - Zrahia, Aviram
AU - Gandal, Neil
AU - Markovich, Sarit
AU - Riordan, Michael
N1 - Publisher Copyright:
© 2024 The Author(s). Published by Oxford University Press.
PY - 2024
Y1 - 2024
N2 - We first provide background on the "nuts and bolts"of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers ("ethical"hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.
AB - We first provide background on the "nuts and bolts"of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers ("ethical"hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.
KW - bug bounty platforms
KW - COVID-19
KW - exogenous shock
KW - software vulnerabilities
UR - http://www.scopus.com/inward/record.url?scp=85192773302&partnerID=8YFLogxK
U2 - 10.1093/cybsec/tyae006
DO - 10.1093/cybsec/tyae006
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85192773302
SN - 2057-2085
VL - 10
JO - Journal of Cybersecurity
JF - Journal of Cybersecurity
IS - 1
M1 - tyae006
ER -