How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model

计算机科学 博弈论 万维网 微观经济学 经济
作者
Leting Zhang,Emre M. Demirezen,Subodha Kumar
出处
期刊:Information Systems Research [Institute for Operations Research and the Management Sciences]
卷期号:36 (2): 1031-1053 被引量:2
标识
DOI:10.1287/isre.2021.0349
摘要

A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.
最长约 10秒,即可获得该文献文件

科研通智能强力驱动
Strongly Powered by AbleSci AI
科研通是完全免费的文献互助平台,具备全网最快的应助速度,最高的求助完成率。 对每一个文献求助,科研通都将尽心尽力,给求助人一个满意的交代。
实时播报
刚刚
陈宝妮完成签到,获得积分10
刚刚
缓慢的台灯完成签到,获得积分10
刚刚
刚刚
传奇3应助yh采纳,获得150
1秒前
无花果应助不要加糖采纳,获得10
1秒前
nini完成签到,获得积分10
1秒前
1秒前
爱宁完成签到 ,获得积分10
1秒前
英吉利25发布了新的文献求助10
1秒前
1秒前
1秒前
Copyright应助麦香鱼采纳,获得10
1秒前
liuxun_0711完成签到,获得积分10
1秒前
1秒前
2秒前
jagger完成签到,获得积分10
2秒前
2秒前
3秒前
超级铅笔完成签到,获得积分10
3秒前
七月流火应助银漪采纳,获得10
3秒前
3秒前
3秒前
郭翔完成签到,获得积分10
3秒前
Baneyhua发布了新的文献求助10
3秒前
蒋瑞轩完成签到,获得积分10
4秒前
beiyao完成签到,获得积分10
5秒前
5秒前
温暖万天发布了新的文献求助100
5秒前
mmx完成签到,获得积分10
5秒前
jagger发布了新的文献求助10
5秒前
搜集达人应助kendrick677采纳,获得10
5秒前
扶光完成签到,获得积分10
6秒前
闪闪发布了新的文献求助10
6秒前
hahaha发布了新的文献求助10
6秒前
ayutaoo完成签到,获得积分10
7秒前
adoudoo发布了新的文献求助10
7秒前
Hana发布了新的文献求助10
7秒前
bkagyin应助要天天开心采纳,获得10
7秒前
天天快乐应助dd123采纳,获得10
7秒前
高分求助中
Cronologia da história de Macau 5000
Merrill's Atlas of Radiographic Positioning and Procedures - 3-Volume Set, 16th Edition 2000
Erwählung und Berufung bei Paulus: Bedeutung, Entwicklung und Funktion einer Vorstellung in ihrem frühjüdischen und griechisch-römischen Kontext 850
Matrix Methods in Data Mining and Pattern Recognition 510
Interactions of Vowel Quality and Prosody in East Slavic 500
Vander's Renal Physiology第10版 500
Animalia: Animal and Human Interaction in the Early Medieval English World (Exeter Studies in Medieval Europe) 400
热门求助领域 (近24小时)
化学 材料科学 医学 生物 纳米技术 工程类 有机化学 化学工程 生物化学 计算机科学 内科学 物理 复合材料 催化作用 细胞生物学 无机化学 光电子学 物理化学 电极 基因
热门帖子
关注 科研通微信公众号,转发送积分 7128541
求助须知:如何正确求助?哪些是违规求助? 8779091
关于积分的说明 18558946
捐赠科研通 6709818
什么是DOI,文献DOI怎么找? 3151245
关于科研通互助平台的介绍 2274142
邀请新用户注册赠送积分活动 2125507