Accueil
| Titre : | Hackersâ self-selection in crowdsourced bug bounty programs (2021) |
| Auteurs : | Arrah-Marie Jo |
| Type de document : | Article : document Ă©lectronique |
| Dans : | Revue d'économie industrielle (n° 172, 2020/4) |
| Article en page(s) : | pp. 83-132 |
| Langues: | Anglais |
| Catégories : |
Thésaurus CEREQ METIER DE L'INFORMATIQUE ; SSII - SOCIETE DE SERVICE INFORMATIQUE ; PRATIQUE DE GRH ; REMUNERATION ; ECONOMIE NUMERIQUE |
| RĂ©sumĂ© : | A bug bounty program, also known as a Vulnerability Research Program (VRP), is a form of crowdsourcing increasingly used by companies to improve their system security. It involves offering monetary rewards to individuals that find new security flaws in a piece of software or a system. One of the key challenges in the design of such contests is to attract enough participants of a high standard. In this paper, we study how hackersâ perception of the uncertainty of obtaining a reward, determined by the level of information a contest provides about the contractual terms, affects the outcome of the contest both quantitatively (the number of participations) and qualitatively (participant skill and experience). Specifically, we examine how a hackerâs choice to participate in a VRP depends on this level of information. Using an unbalanced panel data set on 156 bug bounty programs run on a well-known bug bounty platform, we find that a more detailed contest policy and in particular more information about the compensation scheme attracts a greater number of participants. On the contrary, providing less detail induces less participation but attracts more skilled and more experienced hackers. Hackers self-select whether to participate in a VRP according to the level of information about the contestâs contractual terms, which leads to a trade-off between inducing higher rates of participation and attracting more valuable participants. |
| Document Céreq : | Non |
| En ligne : | https://www.cairn.info/revue-d-economie-industrielle-2020-4-page-83.htm |
