Abstract

This paper uncovers an important paradox in software security: bug bounty programs (BBPs), ostensibly created to enhance software security, perversely lead vendors to release less secure software. Using a game-theoretic model to investigate the economic implications of BBPs, we show that vendors strategically reduce pre-release testing and rely instead on BBPs for post-release management of software vulnerabilities (SVs). This behavior emerges because BBPs provide vendors greater assurance that severe SVs can be privately reported and patched, thereby reducing the perceived risk of uncoordinated public disclosures. In addition to this primary finding, our analysis examines the strategic interactions and trade-offs among software vendors, ethical hackers (white-hat hackers), and malicious hackers (black-hat hackers), revealing several non-obvious insights. We demonstrate that participation in BBPs can enhance software vendors' expected profits when the benefits to ethical and malicious hackers, adjusted for effort costs, are comparable. We also show that offering higher bounties incentivizes ethical hackers to exert greater effort, increasing the likelihood that they discover severe vulnerabilities before malicious hackers. Furthermore, we find that the optimal number of ethical hackers to invite into a BBP is always lower than, but increases with, the expected number of malicious hackers. These findings challenge the conventional view of BBPs, illustrating their role in reshaping vendor incentives toward accelerated—albeit riskier—software launches.

Download

Abstract Only

Share

COinS