Bug Bounty Programs for Third-Party Software: Adoption Strategy and Effectiveness Analysis | Episode No.147

Workshop’s Topic: Bug bounty programs (BBPs) reward external hackers for identifying and reporting software vulnerabilities. As the number of security issues caused by third-party applications has significantly increased recently, many digital platforms are considering launching BBPs to improve the reliability of third-party software. BBPs benefit platforms and vendors, but they impose additional costs on them as well. BBPs also change software vendors’ incentive to invest in reliability in the initial application development stage. As a result, the overall impact of BBP use is unclear. In this paper, we present an analytical model to examine the strategic decisions to launch and participate in BBPs for a platform and a third-party vendor, respectively. We find that their decision-making depends on two key factors: the expected loss caused by security breaches and the vendors initial reliability investment efficiency. We show that the incentives to adopt a BBP, for the platform and for the vendor, are sometimes inconsistent and that using a BBP is not always socially optimal. Under certain conditions, BBP use reduces the overall software reliability; instead of improving it. BBP use makes the platform marketplace less secure and thus hurts end users.

Time and Location: 10:00 AM (GMT+8), Room A823 (School of Management)

Language: Bilingual (Chinese and English)