Web Science Challenges in Researching Bug Bounties

Abstract

The act of searching for security flaws (vulnerabilities) in a piece of software was previously considered to be the preserve of malicious actors, or at least actors who wished to cause chaos. Increasingly, however, companies are recognising the value of running a bug bounty program, where they will pay 'white hat' hackers to locate and disclose security flaws in their applications in order that they can fix it. This is known as a 'bug bounty' or a 'vulnerability reward program', and at present has seen comparatively little research. This paper introduces two existing research on bug bounties in two areas: as a means of regulating the sale of vulnerabilities; and as a form of crowdsourcing. We argue that the nature of bug bounties makes Web science particularly suitable to drive forward research. We identify gaps in the current literature, and propose areas which we consider to be particularly promising for future research.