How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

Article

Zhang, Leting; Demirezen, Emre M.; Kumar, Subodha

University of Delaware; State University System of Florida; University of Florida; Pennsylvania Commonwealth System of Higher Education (PCSHE); Temple University

INFORMATION SYSTEMS RESEARCH

1047-7047

10.1287/isre.2021.0349

2025

To mitigate the threats from malicious exploitation of vulnerabilities, an increasing number of organizations across different industries have started incorporating bug bounty programs (BBPs) in their vulnerability management cycles. Whereas a BBP attracts external security researchers to facilitate the discovery of vulnerabilities in organizations' information technology systems, it also increases the risks after the vulnerabilities are discovered. To deal with the trade-offs, organizations need to understand how to design an optimal bounty and evaluate the total cost of a BBP depending on several key factors. The industry is motivated to understand how the bounty and total costs are impacted by (i) the characteristics of the organization (e.g., security posture and patching complexity), (ii) security researchers (e.g., the heterogeneity among security researchers and their number), and (iii) other factors such as the legal framework surrounding the BBP. However, because there is a lack of formal analyses regarding these issues, we use game-theoretical models to shed light on relevant questions and provide several useful results and managerial insights. First, although an organization's patching complexity and the bounty act as substitutes, the relationship between security posture and the bounty is not necessarily substitutive or complementary. Furthermore, having a larger number of or more capable security researchers does not necessarily imply an increased bounty or lower total costs. Moreover, whereas the prevalent business belief is that an increased level of legal protection offered to the security researchers increases the cost of the BBP, we find that neither the cost of the BBP nor the offered bounty necessarily increases or decreases. This nuanced finding depends on different types of costs incurred because of the inherent vulnerability itself and costs related to possible leaks out of the BBP. Our study provides insights to security professionals, organizations, and policymakers in designing cost-effective BBPs.

访问原文