{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T02:11:34Z","timestamp":1773713494945,"version":"3.50.1"},"reference-count":39,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,3,12]],"date-time":"2021-03-12T00:00:00Z","timestamp":1615507200000},"content-version":"vor","delay-in-days":70,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"HackerOne"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,2,16]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>We ran a study of bug bounties, programs where gig economy security researchers are compensated for pinpointing and explaining vulnerabilities in company code bases. Bug bounty advocates have argued that they are a cost-effective means for companies of all types to shore up their security posture. Our research\u2014which analyzes a large, proprietary dataset and which leverages instrumental variables to eliminate potential sources of endogeneity\u2014provides empirical support for this assertion. Security researchers have a price elasticity of supply of between 0.1 and 0.2 at the median, indicating that they are largely motivated by non-pecuniary factors; a company is still able to derive utility from bug bounties even if they have a limited ability to pay security researchers. Moreover, a company\u2019s revenue and brand profile do not have an economically significant impact on the number of valid security vulnerabilities reports its program receives. However, we found that companies in the finance, retail, and healthcare sectors are notified of fewer valid vulnerabilities, ceteris paribus, than companies in other sectors, though these estimates are not statistically significant at the 5% level. We also found no evidence that new companies joining the HackerOne platform dampen the number of reports that firms receive. Finally, we find that programs receive fewer valid reports as they grow older and bugs become harder to find. This negative age effect may be dampened if the program increases the code base available for hacking.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab007","type":"journal-article","created":{"date-parts":[[2021,3,11]],"date-time":"2021-03-11T23:59:40Z","timestamp":1615507180000},"source":"Crossref","is-referenced-by-count":19,"title":["Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1353-248X","authenticated-orcid":false,"given":"Kiran","family":"Sridhar","sequence":"first","affiliation":[{"name":"Stanford University; Operations and Technology Management, University of Cambridge, CA 94103"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ming","family":"Ng","sequence":"additional","affiliation":[{"name":"Department of Data Science, HackerOne, San Francisco, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2021,3,12]]},"reference":[{"key":"2021031211092347300_tyab007-B1","author":"HackerOne","year":"2018"},{"key":"2021031211092347300_tyab007-B2","author":"HackerOne","year":"2018"},{"key":"2021031211092347300_tyab007-B3","author":"Department of Homeland Security","year":"2019"},{"key":"2021031211092347300_tyab007-B4","author":"Gardner","year":"2018"},{"key":"2021031211092347300_tyab007-B5","doi-asserted-by":"crossref","first-page":"831","DOI":"10.1007\/s11948-015-9648-y","article-title":"Security-by-experiment: lessons from responsible development in cyberspace","volume":"22","author":"Pieters","year":"2016","journal-title":"Scie Eng Ethics"},{"key":"2021031211092347300_tyab007-B6","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/qje\/qjq008","article-title":"Identifying government spending shocks: it\u2019s all in the timing","volume":"126","author":"Ramey","year":"2011","journal-title":"Quart J Econ"},{"key":"2021031211092347300_tyab007-B7","doi-asserted-by":"crossref","first-page":"393","DOI":"10.2307\/1907619","article-title":"The estimation of economic relationships using instrumental variables","volume":"26","author":"Sargan","year":"1958","journal-title":"Econometrica J Econ Soc"},{"key":"2021031211092347300_tyab007-B8","doi-asserted-by":"crossref","first-page":"507","DOI":"10.2307\/1909556","article-title":"The estimation of simultaneous equation models with lagged endogenous variables and first order serially correlated errors","volume":"38","author":"Fair","year":"1970","journal-title":"Econometrica"},{"key":"2021031211092347300_tyab007-B9","author":"ISC2","year":"2019"},{"key":"2021031211092347300_tyab007-B10","author":"Dimon","year":"2019"},{"key":"2021031211092347300_tyab007-B11","author":"Verizon Enterprise Solutions","year":"2018"},{"key":"2021031211092347300_tyab007-B12","author":"HackerOne","year":"2020"},{"key":"2021031211092347300_tyab007-B13","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1007\/s12130-999-1026-0","article-title":"The cathedral and the bazaar","volume":"12","author":"Raymond","year":"1999","journal-title":"Knowledge Technol Policy"},{"key":"2021031211092347300_tyab007-B14","volume-title":"Murphy\u2019s Law, the Fitness of Evolving Species, and the Limits of Software Reliability","author":"Brady","year":"1999"},{"key":"2021031211092347300_tyab007-B15","author":"Fonseca","year":"2010"},{"key":"2021031211092347300_tyab007-B16","doi-asserted-by":"crossref","first-page":"81","DOI":"10.4236\/jis.2016.72006","article-title":"The \u201citerated weakest link\u201d model of adaptive security investment","volume":"07","author":"Bohme","year":"2016","journal-title":"J Informat Security"},{"key":"2021031211092347300_tyab007-B17","author":"Corrigan","year":"2017"},{"key":"2021031211092347300_tyab007-B18","volume-title":"Gray Hat Hacking: The Ethical Hacker\u2019s Handbook","author":"Harper","year":"2011"},{"key":"2021031211092347300_tyab007-B19"},{"key":"2021031211092347300_tyab007-B20","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1177\/1463499608093814","article-title":"Hacker practice: moral genres and the cultural articulation of liberalism","volume":"8","author":"Coleman","year":"2008","journal-title":"Anthropol Theory"},{"key":"2021031211092347300_tyab007-B21","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1093\/cybsec\/tyx008","article-title":"Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs","volume":"3","author":"Maillart","year":"2017","journal-title":"J Cybersecurity"},{"key":"2021031211092347300_tyab007-B22","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1109\/MSP.2007.180","article-title":"Vulnerability bazaar","volume":"5","author":"McKinney","year":"2007","journal-title":"IEEE Security Privacy"},{"key":"2021031211092347300_tyab007-B23","doi-asserted-by":"crossref","first-page":"143","DOI":"10.12690\/0161-8202-82.2.143","article-title":"Hacker\u2019s bazaar: the markets for cybercrime tools and stolen data","volume":"82","author":"Ablon","year":"2015","journal-title":"Def Counsel J"},{"key":"2021031211092347300_tyab007-B24","volume-title":"Software Engineering Best Practices: Lessons from Successful Projects in the Top Companies","author":"Jones","year":"2010"},{"key":"2021031211092347300_tyab007-B25","author":"Markus","year":"2000"},{"key":"2021031211092347300_tyab007-B26","doi-asserted-by":"crossref","first-page":"24262","DOI":"10.1109\/ACCESS.2017.2762729","article-title":"Build software or buy: a study on developing large scale software","volume":"5","author":"Shahzad","year":"2017","journal-title":"IEEE Access"},{"key":"2021031211092347300_tyab007-B27","doi-asserted-by":"crossref","first-page":"340","DOI":"10.1109\/TSE.2005.49","article-title":"Predicting the location and number of faults in large software systems","volume":"31","author":"Ostrand","year":"2005","journal-title":"IEEE Trans Software Eng"},{"key":"2021031211092347300_tyab007-B28","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1145\/502059.502041","article-title":"Bugs as deviant behavior: a general approach to inferring errors in systems code","volume":"35","author":"Engler","year":"2001","journal-title":"ACM SIGOPS Operating Systems Rev"},{"key":"2021031211092347300_tyab007-B29","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1145\/1646353.1646374","article-title":"A few billion lines of code later: using static analysis to find bugs in the real world","volume":"53","author":"Bessey","year":"2010","journal-title":"Commun ACM"},{"key":"2021031211092347300_tyab007-B30","doi-asserted-by":"crossref","first-page":"872","DOI":"10.1109\/TSE.2011.54","article-title":"On the distribution of bugs in the eclipse system","volume":"37","author":"Concas","year":"2011","journal-title":"IEEE Trans Software Eng"},{"key":"2021031211092347300_tyab007-B31","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/S0167-7187(99)00029-6","article-title":"Vertical product differentiation, network externalities, and compatibility decisions","volume":"19","author":"Baake","year":"2001","journal-title":"Int J Industr Organ"},{"key":"2021031211092347300_tyab007-B32","doi-asserted-by":"crossref","first-page":"268","DOI":"10.1016\/j.ejor.2004.12.004","article-title":"Technology choice and timing with positive network effects","volume":"173","author":"Kornish","year":"2006","journal-title":"Euro J Operat Res"},{"key":"2021031211092347300_tyab007-B33","volume-title":"New Solutions for Cybersecurity","author":"Ellis","year":"2017"},{"key":"2021031211092347300_tyab007-B34","author":"Zhao","year":"2015"},{"key":"2021031211092347300_tyab007-B35","first-page":"35","author":"Walshe","year":"2020"},{"key":"2021031211092347300_tyab007-B36","volume-title":"Software Configuration Management Handbook","author":"Leon","year":"2015"},{"key":"2021031211092347300_tyab007-B37"},{"key":"2021031211092347300_tyab007-B38"},{"key":"2021031211092347300_tyab007-B39","author":"IBM and Ponemon Institute","year":"2018"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab007\/36578302\/tyab007.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab007\/36578302\/tyab007.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,3,12]],"date-time":"2021-03-12T11:10:07Z","timestamp":1615547407000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab007\/6168453"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":39,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,16]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab007","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab007"}}