A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities
It provides empirical insights into bug bounty platforms for cybersecurity researchers and practitioners, though it is incremental by applying existing methods to new data.
The paper analyzed the Open Bug Bounty platform from 2015 to 2017, finding it successfully disseminated nearly 160,000 web vulnerabilities with fast evaluation times but long patching delays, while highlighting productivity and knowledge gaps among hackers.
Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.