外部冲击对漏洞悬赏平台的简单经济学影响

IF 2.9 Q1 SOCIAL SCIENCES, INTERDISCIPLINARY
Aviram Zrahia, Neil Gandal, Sarit Markovich, Michael Riordan
{"title":"外部冲击对漏洞悬赏平台的简单经济学影响","authors":"Aviram Zrahia, Neil Gandal, Sarit Markovich, Michael Riordan","doi":"10.1093/cybsec/tyae006","DOIUrl":null,"url":null,"abstract":"We first provide background on the “nuts and bolts” of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (“ethical” hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":"75 1","pages":""},"PeriodicalIF":2.9000,"publicationDate":"2024-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The simple economics of an external shock to a bug bounty platform\",\"authors\":\"Aviram Zrahia, Neil Gandal, Sarit Markovich, Michael Riordan\",\"doi\":\"10.1093/cybsec/tyae006\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We first provide background on the “nuts and bolts” of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (“ethical” hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.\",\"PeriodicalId\":44310,\"journal\":{\"name\":\"Journal of Cybersecurity\",\"volume\":\"75 1\",\"pages\":\"\"},\"PeriodicalIF\":2.9000,\"publicationDate\":\"2024-05-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Cybersecurity\",\"FirstCategoryId\":\"1093\",\"ListUrlMain\":\"https://doi.org/10.1093/cybsec/tyae006\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"SOCIAL SCIENCES, INTERDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cybersecurity","FirstCategoryId":"1093","ListUrlMain":"https://doi.org/10.1093/cybsec/tyae006","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"SOCIAL SCIENCES, INTERDISCIPLINARY","Score":null,"Total":0}
引用次数: 0

摘要

我们首先介绍了漏洞悬赏平台的背景:这是一个连接企业和个人安全研究人员("道德 "黑客)的双向市场,旨在促进软件漏洞的发现。研究人员提交的有效漏洞会得到认可,但在这个类似于锦标赛的环境中,只有首次提交明显漏洞的研究人员才能获得奖金。然后,我们实证检验了外来冲击(COVID-19)对领先平台之一 Bugcrowd 的影响。这一冲击可能减少了许多安全研究人员的机会集,他们可能会失去工作或被安排休假。我们的研究表明,外生冲击导致供应曲线大幅右移,并增加了平台上的提交数量和新研究人员数量。在 COVID 期间,重复(已知)有效提交的数量大幅增加,导致获得金钱奖励的概率降低。供应增加导致有效提交的均衡价格大幅下降,这主要是由于重复提交的供应方效应。结果表明,如果平台上的公司和漏洞悬赏计划的数量有更大的增长,可能会发现更多独特的软件漏洞。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
The simple economics of an external shock to a bug bounty platform
We first provide background on the “nuts and bolts” of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (“ethical” hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Cybersecurity
Journal of Cybersecurity SOCIAL SCIENCES, INTERDISCIPLINARY-
CiteScore
6.20
自引率
2.60%
发文量
0
审稿时长
18 weeks
期刊介绍: Journal of Cybersecurity provides a hub around which the interdisciplinary cybersecurity community can form. The journal is committed to providing quality empirical research, as well as scholarship, that is grounded in real-world implications and solutions. Journal of Cybersecurity solicits articles adhering to the following, broadly constructed and interpreted, aspects of cybersecurity: anthropological and cultural studies; computer science and security; security and crime science; cryptography and associated topics; security economics; human factors and psychology; legal aspects of information security; political and policy perspectives; strategy and international relations; and privacy.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信