TY - GEN
T1 - Organizational learning on bug bounty platforms
AU - Ahmed, Ali
AU - Lee, Ho Cheung Brian
N1 - Publisher Copyright:
© 2020 26th Americas Conference on Information Systems, AMCIS 2020. All rights reserved.
PY - 2020
Y1 - 2020
N2 - Crowdsourced vulnerability discovery has become an increasingly popular method to find security vulnerabilities in a system. In this research, we have analyzed the firm's experience-performance relationship in resolving such security vulnerabilities on bug-bounty platforms. Using a dataset from HackerOne, a major bug bounty platform, we have shown that the firms' vulnerability resolving time on the platform has a U-shape relationship with their experience in resolving the reports. We argue that the firms over-generalize their limited experience initially, which leads to a negative experience effect on resolving performance. However, as the firms encounter more reported vulnerabilities, the actual learning effect dominates the experience effect and improves the firms' resolving performance. We further show that the firms' resolving performance depends on the relevance of the information they received. When the reported vulnerability is relevant and receives a bounty reward, it alleviates the over-generalizing effect but introduces an information overload effect.
AB - Crowdsourced vulnerability discovery has become an increasingly popular method to find security vulnerabilities in a system. In this research, we have analyzed the firm's experience-performance relationship in resolving such security vulnerabilities on bug-bounty platforms. Using a dataset from HackerOne, a major bug bounty platform, we have shown that the firms' vulnerability resolving time on the platform has a U-shape relationship with their experience in resolving the reports. We argue that the firms over-generalize their limited experience initially, which leads to a negative experience effect on resolving performance. However, as the firms encounter more reported vulnerabilities, the actual learning effect dominates the experience effect and improves the firms' resolving performance. We further show that the firms' resolving performance depends on the relevance of the information they received. When the reported vulnerability is relevant and receives a bounty reward, it alleviates the over-generalizing effect but introduces an information overload effect.
UR - http://www.scopus.com/inward/record.url?scp=85097721229&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097721229&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85097721229
T3 - 26th Americas Conference on Information Systems, AMCIS 2020
BT - 26th Americas Conference on Information Systems, AMCIS 2020
PB - Association for Information Systems
T2 - 26th Americas Conference on Information Systems, AMCIS 2020
Y2 - 10 August 2020 through 14 August 2020
ER -