Organizational learning on bug bounty platforms

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations


Crowdsourced vulnerability discovery has become an increasingly popular method to find security vulnerabilities in a system. In this research, we have analyzed the firm's experience-performance relationship in resolving such security vulnerabilities on bug-bounty platforms. Using a dataset from HackerOne, a major bug bounty platform, we have shown that the firms' vulnerability resolving time on the platform has a U-shape relationship with their experience in resolving the reports. We argue that the firms over-generalize their limited experience initially, which leads to a negative experience effect on resolving performance. However, as the firms encounter more reported vulnerabilities, the actual learning effect dominates the experience effect and improves the firms' resolving performance. We further show that the firms' resolving performance depends on the relevance of the information they received. When the reported vulnerability is relevant and receives a bounty reward, it alleviates the over-generalizing effect but introduces an information overload effect.

Original languageEnglish (US)
Title of host publication26th Americas Conference on Information Systems, AMCIS 2020
PublisherAssociation for Information Systems
ISBN (Electronic)9781733632546
StatePublished - 2020
Event26th Americas Conference on Information Systems, AMCIS 2020 - Salt Lake City, Virtual, United States
Duration: Aug 10 2020Aug 14 2020

Publication series

Name26th Americas Conference on Information Systems, AMCIS 2020


Conference26th Americas Conference on Information Systems, AMCIS 2020
Country/TerritoryUnited States
CitySalt Lake City, Virtual

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Information Systems
  • Computer Networks and Communications
  • Library and Information Sciences


Dive into the research topics of 'Organizational learning on bug bounty platforms'. Together they form a unique fingerprint.

Cite this