How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

Abstract

A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.