How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

IF 5 3区 管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE Information Systems Research Pub Date : 2024-09-03 DOI:10.1287/isre.2021.0349
Leting Zhang, Emre M. Demirezen, Subodha Kumar
{"title":"How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model","authors":"Leting Zhang, Emre M. Demirezen, Subodha Kumar","doi":"10.1287/isre.2021.0349","DOIUrl":null,"url":null,"abstract":"A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.","PeriodicalId":48411,"journal":{"name":"Information Systems Research","volume":"8 1","pages":""},"PeriodicalIF":5.0000,"publicationDate":"2024-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Systems Research","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.1287/isre.2021.0349","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}
引用次数: 0

Abstract

A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
如何使我的 Bug 赏金具有成本效益?游戏理论模型
漏洞悬赏计划(BBP)是一种创新的众包安全解决方案,越来越多地被企业采用。我们利用博弈论模型分析了关键特征对 BBP 的影响,并就如何将 BBP 作为企业漏洞管理的一部分进行管理以提高成本效益提出了实用见解。我们的研究结果表明,打补丁复杂度高的组织应宣布较低的赏金,尤其是在安全资源有限的情况下。BBP 应该补充而不是替代企业的安全特性。在设计 BBP 时,评估补丁复杂性和安全态势至关重要。此外,安全研究人员也是 BBP 性能的驱动力。即使发现后的成本很高,提高研究人员的工作效率并不一定需要更高的赏金。如果单位发现后成本较高,新手的生产力可能会增加总成本,而专家的生产力则会持续降低成本。企业应披露高级产品和信息技术 (IT) 功能,以提高专家的生产力。BBP 中的安全研究人员数量很重要,但增加他们的数量并不一定需要更高的赏金。人数越多不一定就越划算。最后,加强对安全研究人员的法律保护可能不会增加组织的风险,尤其是在拥有强大安全或不太先进的 IT 基础设施的组织中。行业协会和政策制定者应在标准和法律框架中考虑这些因素。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
CiteScore
9.10
自引率
8.20%
发文量
120
期刊介绍: ISR (Information Systems Research) is a journal of INFORMS, the Institute for Operations Research and the Management Sciences. Information Systems Research is a leading international journal of theory, research, and intellectual development, focused on information systems in organizations, institutions, the economy, and society.
期刊最新文献
Win by Hook or Crook? Self-Injecting Favorable Online Reviews to Fight Adjacent Rivals Omnificence or Differentiation? An Empirical Study of Knowledge Structure and Career Development of IT Workers Timely Quality Problem Resolution in Peer-Production Systems: The Impact of Bots, Policy Citations, and Contributor Experience Does David Make A Goliath? Impact of Rival’s Expertise Signals on Online User Engagement How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1