TY - JOUR
T1 - Devising effective policies for bug-bounty platforms and security vulnerability discovery
AU - Zhao, Mingyi
AU - Laszka, Aron
AU - Grossklags, Jens
N1 - Publisher Copyright:
© 2017 Penn State University Press. All rights reserved.
PY - 2017
Y1 - 2017
N2 - Bug-bounty programs have the potential to harvest the effort and diverse knowledge of thousands of independent security researchers, but running them at scale is challenging due to misaligned incentives and misallocation of effort. In our research, we discuss these challenges in detail and present relevant empirical data. We develop an economic framework consisting of two models that focus on evaluating different policies for improving the effectiveness of bug-bounty programs. Further, we discuss regulatory policy challenges and questions related to vulnerability research and disclosure, such as mandatory bug bounties and the relation to other cybersecurity policies.
AB - Bug-bounty programs have the potential to harvest the effort and diverse knowledge of thousands of independent security researchers, but running them at scale is challenging due to misaligned incentives and misallocation of effort. In our research, we discuss these challenges in detail and present relevant empirical data. We develop an economic framework consisting of two models that focus on evaluating different policies for improving the effectiveness of bug-bounty programs. Further, we discuss regulatory policy challenges and questions related to vulnerability research and disclosure, such as mandatory bug bounties and the relation to other cybersecurity policies.
UR - http://www.scopus.com/inward/record.url?scp=85044114820&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85044114820&partnerID=8YFLogxK
U2 - 10.5325/jinfopoli.7.2017.0372
DO - 10.5325/jinfopoli.7.2017.0372
M3 - Article
AN - SCOPUS:85044114820
SN - 2381-5892
VL - 7
SP - 372
EP - 418
JO - Journal of Information Policy
JF - Journal of Information Policy
ER -