The Rules of Engagement for Bug Bounty Programs

Aron Laszka, Mingyi Zhao, Akash Malbari, Jens Grossklags

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Scopus citations


White hat hackers, also called ethical hackers, who find and report vulnerabilities to bug bounty programs have become a significant part of today’s security ecosystem. While the efforts of white hats contribute to heightened levels of security at the participating organizations, the white hats’ participation needs to be carefully managed to balance risks with anticipated benefits. One way, taken by organizations, to manage bug bounty programs is to create rules that aim to regulate the behavior of white hats, but also bind these organizations to certain actions (e.g., level of bounty payments). To the best of our knowledge, no research exists that studies the content of these program rules and their impact on the effectiveness of bug bounty programs. We collected and analyzed the rules of 111 bounty programs on a major bug bounty platform, HackerOne. We qualitatively study the contents of these rules to determine a taxonomy of statements governing the expected behavior of white hats and organizations. We also report specific examples of rules to illustrate their reach and diversity across programs. We further engage in a quantitative analysis by pairing the findings of the analysis of the program rules with a second dataset about the performance of the same bug bounty programs, and conducting statistical analyses to evaluate the impact of program rules on program outcomes.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 22nd International Conference, FC 2018, Revised Selected Papers
EditorsSarah Meiklejohn, Kazue Sako
PublisherSpringer Verlag
Number of pages22
ISBN (Print)9783662583869
StatePublished - 2018
Event22nd International Conference on Financial Cryptography and Data Security, 2018 - Nieuwpoort, Belgium
Duration: Feb 26 2018Mar 2 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10957 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference22nd International Conference on Financial Cryptography and Data Security, 2018

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'The Rules of Engagement for Bug Bounty Programs'. Together they form a unique fingerprint.

Cite this