Abstract
In cybersecurity, bug bounty programs have emerged as a new method of identifying security vulnerabilities. Despite the growing interest in studying bug bounty programs, it remains unclear how firms collaborate with online hackers on an open bug bounty platform. In this paper, we examine how a firm’s experience of working with hackers affects its efficiency in resolving security vulnerabilities on a bug bounty platform. We focus on the collaboration aspect of hackers and firms in an open platform. Using a dataset obtained from a leading bug bounty platform, our initial results suggest an inverted U-shaped relationship between the firm’s vulnerability resolution time and the number of vulnerabilities resolved in the past. Interestingly, firms may perform worse (i.e., a long resolution time) as they gain more experience at low to moderate levels of experience. However, once the firms have gained sufficient experience, a positive learning effect kicks in, i.e., vulnerability resolution times decrease with the increase in experience at moderate to high levels of experience. We suggest that firms over-generalize their experience of working with hackers. Resolution experience gained while working with one hacker cannot be sufficiently applied to another hacker.
Recommended Citation
Ahmed, Ali; Lee, Brian; and Deokar, Amit, "Experience and Efficiency in Vulnerability Resolution on Bug Bounty Platforms" (2024). WISP 2024 Proceedings. 1.
https://aisel.aisnet.org/wisp2024/1
