Merchants of Vulnerabilities: How Bug Bounty Programs Benefit Software Vendors
Abstract
We study how bug bounty programs (BBPs) shape software vendors' security and release choices.
We develop a game-theoretic model in which a vendor chooses release timing and severity-contingent bounties, anticipating effort by ethical and malicious hackers in a winner-take-all discovery race.
The model highlights two linked mechanisms: an incentive channel that shifts first discovery of severe vulnerabilities away from malicious exploitation and toward ethical reporting, and a governance channel in which coordinated disclosure changes how vulnerability information is managed during remediation.
We derive closed-form optimal bounties and characterize a feasibility region sustaining positive bounties and interior success probabilities.
Within it, a BBP strictly increases the vendor's expected profit by reallocating first-discovery probability on severe vulnerabilities from malicious to ethical hackers and by converting part of severe-loss exposure into bounded, pay-for-results expenditures.
For private programs, we solve for the optimal invited set of ethical hackers and show it is strictly smaller than the expected number of malicious attackers.
Higher bounties raise ethical hackers' effort and first-discovery probabilities but also increase program cost, and interact with reputational (non-monetary) incentives.
Finally, BBP adoption conditionally reduces the marginal value of additional pre-release delay, implying earlier release relative to the no-BBP benchmark.
Managerially, BBPs should be viewed as a post-release governance layer complementing strong internal assurance rather than a substitute for it.
Policymakers can support responsible use by encouraging timely remediation, transparent post-patch disclosure, and reporting standards that reduce information asymmetry and triage frictions.
(Abstract edited to fit the arXiv length limit.)
이 뉴스, 어떠셨어요?
한 번의 탭으로 반응을 남겨요 · 로그인 불필요