{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T11:47:04Z","timestamp":1753876024789,"version":"3.41.2"},"reference-count":29,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,5,8]],"date-time":"2024-05-08T00:00:00Z","timestamp":1715126400000},"content-version":"vor","delay-in-days":128,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004375","name":"Tel Aviv University","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004375","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>We first provide background on the \u201cnuts and bolts\u201d of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (\u201cethical\u201d hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae006","type":"journal-article","created":{"date-parts":[[2024,5,8]],"date-time":"2024-05-08T12:52:23Z","timestamp":1715172743000},"source":"Crossref","is-referenced-by-count":1,"title":["The simple economics of an external shock to a bug bounty platform"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1001-2668","authenticated-orcid":false,"given":"Aviram","family":"Zrahia","sequence":"first","affiliation":[{"name":"The Department of Public Policy, Tel Aviv University , Tel Aviv 6997801 ,","place":["Israel"]}]},{"given":"Neil","family":"Gandal","sequence":"additional","affiliation":[{"name":"Berglas School of Economics, Tel Aviv University , Tel Aviv 6997801 ,","place":["Israel"]},{"name":"School of Cyber Studies, University of Tulsa , Tulsa, OK 74104 ,","place":["USA"]}]},{"given":"Sarit","family":"Markovich","sequence":"additional","affiliation":[{"name":"Kellogg School of Management, Northwestern University , Evanston, IL 60208,","place":["USA"]}]},{"given":"Michael","family":"Riordan","sequence":"additional","affiliation":[{"name":"The Department of Economics, Columbia University , New York, NY 10027,","place":["USA"]}]}],"member":"286","published-online":{"date-parts":[[2024,5,8]]},"reference":[{"key":"2024121909144461400_bib1","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1007\/s12130-999-1026-0","article-title":"The cathedral and the bazaar","volume":"12","author":"Raymond","year":"1999","journal-title":"Knowl Technol Pol"},{"year":"2018","author":"Koustas","article-title":"Consumption insurance and multiple jobs: evidence from rideshare drivers","key":"2024121909144461400_bib2"},{"year":"2019","author":"Collins","article-title":"Is gig work replacing traditional employment? evidence from two decades of tax returns","key":"2024121909144461400_bib3"},{"key":"2024121909144461400_bib4","first-page":"358","article-title":"Why information security is hard - an economic perspective","volume":"2001","author":"Anderson","year":"2001","journal-title":"Proc Ann Comput Secur Appl Conf, ACSAC"},{"key":"2024121909144461400_bib5","doi-asserted-by":"publisher","first-page":"102248","DOI":"10.1016\/j.cose.2021.102248","article-title":"Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic","volume":"105","author":"Lallie","year":"2021","journal-title":"Comput Secur"},{"key":"2024121909144461400_bib6","first-page":"133","article-title":"So long, and no thanks for the externalities: the rational rejection of security advice by users","author":"Herley","year":"2009","journal-title":"Proceedings New Security Paradigms Workshop"},{"key":"2024121909144461400_bib7","doi-asserted-by":"publisher","first-page":"868","DOI":"10.1111\/j.1467-6451.2010.00435.x","article-title":"Network security: vulnerabilities and disclosure policy","volume":"58","author":"Choi","year":"2010","journal-title":"J Ind Econ"},{"key":"2024121909144461400_bib8","doi-asserted-by":"crossref","DOI":"10.7249\/RR1751","article-title":"Zero days, thousands of nights: the life and times of zero-day vulnerabilities and their exploits","author":"Ablon","year":"2017"},{"key":"2024121909144461400_bib9","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1109\/MS.2018.2880508","article-title":"Bug bounty programs for cybersecurity: practices, issues, and recommendations","volume":"37","author":"Malladi","year":"2020","journal-title":"IEEE Softw"},{"key":"2024121909144461400_bib10","doi-asserted-by":"publisher","first-page":"645","DOI":"10.1111\/j.1756-2171.2006.tb00036.x","article-title":"Two-sided markets: a progress report","volume":"37","author":"Rochet","year":"2006","journal-title":"RAND J Econ"},{"key":"2024121909144461400_bib11","doi-asserted-by":"crossref","first-page":"101774","DOI":"10.1016\/j.cose.2020.101774","article-title":"Cybersecurity and platform competition in the cloud","volume":"93","author":"Arce","year":"2020","journal-title":"Comput Secur"},{"key":"2024121909144461400_bib12","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1002\/smj.941","article-title":"Entry into platform-based markets","volume":"33","author":"Zhu","year":"2012","journal-title":"Strateg Manage J"},{"key":"2024121909144461400_bib13","doi-asserted-by":"publisher","first-page":"990","DOI":"10.1162\/154247603322493212","article-title":"Platform competition in two-sided markets","volume":"1","author":"Rochet","year":"2003","journal-title":"J Eur Econ Assoc"},{"key":"2024121909144461400_bib14","doi-asserted-by":"publisher","first-page":"1494","DOI":"10.1287\/mnsc10500400","article-title":"Two-sided network effects: a theory of information product design","volume-title":"Manag Sci","author":"Parker","year":"2005"},{"key":"2024121909144461400_bib15","doi-asserted-by":"publisher","first-page":"309","DOI":"10.2307\/1593720","article-title":"Chicken & egg: competition among intermediation service providers","volume":"34","author":"Caillaud","year":"2003","journal-title":"RAND J Econ"},{"key":"2024121909144461400_bib16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.ijindorg.2018.03.014","article-title":"Platform competition: who benefits from multihoming?","volume":"64","author":"Belleflamme","year":"2019","journal-title":"Int J Ind Organiz"},{"key":"2024121909144461400_bib17","first-page":"187","article-title":"Coase and the sharing economy","volume-title":"Forever Contemporary: The Economics of Ronald Coase","author":"Munger","year":"2015"},{"key":"2024121909144461400_bib18","first-page":"1105","article-title":"An empirical study of web vulnerability discovery ecosystems","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Zhao","year":"2015"},{"key":"2024121909144461400_bib19","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1093\/cybsec\/tyx008","article-title":"Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs","volume":"3","author":"Maillart","year":"2017","journal-title":"J Cybersecur"},{"key":"2024121909144461400_bib20","first-page":"1","article-title":"Most successful vulnerability discoverers: motivation and methods","author":"Algarni","year":"2014","journal-title":"Proceedings of the International Conference on Security and Management (SAM)"},{"key":"2024121909144461400_bib21","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyab007","article-title":"Hacking for good: leveraging HackerOne data to develop an economic model of Bug Bounties","volume":"7","author":"Sridhar","year":"2021","journal-title":"J Cybersecur"},{"key":"2024121909144461400_bib22","doi-asserted-by":"crossref","first-page":"529","DOI":"10.1038\/s41562-021-01079-8","article-title":"A global panel database of pandemic policies (Oxford COVID-19 Government Response Tracker)","volume":"5","author":"Hale","year":"2021","journal-title":"Nat Hum Behav"},{"key":"2024121909144461400_bib23","first-page":"360","article-title":"Ideology \u00dcber Alles? Economics bloggers on Uber, Lyft, and other transportation network companies","volume":"12","author":"Horpedahl","year":"2015","journal-title":"Econ J Watch"},{"key":"2024121909144461400_bib24","first-page":"574","article-title":"Analyzing uber\u2019s ride-sharing economy","author":"Kooti","year":"2017","journal-title":"Proceedings of the 26th International World Wide Web Conference 2017, WWW 2017 Companion"},{"key":"2024121909144461400_bib25","doi-asserted-by":"publisher","first-page":"143","DOI":"10.12690\/0161-8202-82.2.143","article-title":"Hackers\u2019 bazaar: the markets for cybercrime tools and stolen data","volume":"82","author":"Ablon","year":"2015","journal-title":"Defense Counsel J"},{"year":"2022","author":"Spring","article-title":"An analysis of how many undiscovered vulnerabilities remain in information systems","key":"2024121909144461400_bib26"},{"key":"2024121909144461400_bib27","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1016\/j.ijcip.2010.10.002","article-title":"The economics of cybersecurity: principles and policy options","volume":"3","author":"Moore","year":"2010","journal-title":"Int J Crit Infrastruct Prot"},{"key":"2024121909144461400_bib28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/1-4020-8090-5_1","article-title":"System reliability and free riding","volume-title":"Economics of Information Security","author":"Varian","year":"2004"},{"key":"2024121909144461400_bib29","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1007\/1-4020-8090-5_2","article-title":"Pricing security: a market in vulnerabilities","volume-title":"Economics of Information Security","author":"Jean\u00a0Camp","year":"2004"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae006\/61182450\/tyae006.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae006\/61182450\/tyae006.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:15:08Z","timestamp":1734599708000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae006\/7667075"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,1,1]]},"references-count":29,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae006","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2024,1,1]]},"published":{"date-parts":[[2024,1,1]]},"article-number":"tyae006"}}