Cyber-security, Privacy and Ethics of IS
Loading...
Paper Number
2606
Paper Type
short
Description
In this paper, we have analyzed voluntary vulnerability disclosure and its effects on ethical hackers’ participation in an organization’s bug bounty program. Specifically, we have analyzed the effect of the disclosure of patched vulnerability reports in a bug bounty program and how it affects new hackers’ participation in the program. Using a dataset from a leading bug bounty platform, we have shown that the disclosure of valid vulnerabilities attracts new hackers to the program. We have also found that the disclosure of valid reports also attracts more experienced hackers to the program. However, the disclosure of duplicate, informational, and not-applicable reports decreases the participation of experienced hackers in a program. Our findings broaden our understanding of working with ethical hackers on bug bounty programs. We contribute to the debate in operations management in how organizations’ earlier workflow attracts new and high-quality workers to the programs in an open crowdsourcing platform.
Recommended Citation
Ahmed, Ali; Lee, Brian; and Deokar, Amit V., "The Role of Vulnerability Disclosure on Hacker Participation in Bug Bounty Programs" (2021). ICIS 2021 Proceedings. 14.
https://aisel.aisnet.org/icis2021/cyber_security/cyber_security/14
The Role of Vulnerability Disclosure on Hacker Participation in Bug Bounty Programs
In this paper, we have analyzed voluntary vulnerability disclosure and its effects on ethical hackers’ participation in an organization’s bug bounty program. Specifically, we have analyzed the effect of the disclosure of patched vulnerability reports in a bug bounty program and how it affects new hackers’ participation in the program. Using a dataset from a leading bug bounty platform, we have shown that the disclosure of valid vulnerabilities attracts new hackers to the program. We have also found that the disclosure of valid reports also attracts more experienced hackers to the program. However, the disclosure of duplicate, informational, and not-applicable reports decreases the participation of experienced hackers in a program. Our findings broaden our understanding of working with ethical hackers on bug bounty programs. We contribute to the debate in operations management in how organizations’ earlier workflow attracts new and high-quality workers to the programs in an open crowdsourcing platform.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
07-Security