Professional Documents
Culture Documents
Walshe and Simpson An Empirical Study of Bug Bounty Programs
Walshe and Simpson An Empirical Study of Bug Bounty Programs
Thomas Walshe and Andrew Simpson Department of Computer Science, University of Oxford
Wolfson Building, Parks Road, Oxford OX1 3QD, United Kingdom
Email: firstname.secondname@cs.ox.ac.uk
Abstract—The task of identifying vulnerabilities is commonly each day the program is run — resulting in $11.9 million being
outsourced to hackers participating in bug bounty programs. As paid out to hackers for successfully finding vulnerabilities [8].
of July 2019, bug bounty platforms such as HackerOne have over An empirical study into the use of rewards programs has the
200 publicly listed programs, with programs listed on HackerOne
being responsible for the discovery of tens of thousands of potential for economic analysis to be performed, with a view
vulnerabilities since 2013. We report the results of an empirical to explaining why some companies are increasingly utilising
analysis that was undertaken using the data available from two the global network of security expertise offered by hackers,
bug bounty platforms to understand the costs and benefits of bug instead of hiring additional staff — and whether others should
bounty programs both to participants and to organisations. We follow that pattern [9]. These questions drive this contribution.
consider the economics of bug bounty programs, investigating
the costs and benefits to those running such programs and the In order to give appropriate consideration both to related
hackers that participate in finding vulnerabilities. We find that work and to our questions of interest, we first need to
the average cost of operating a bug bounty program for a year is establish appropriate criteria. One such criterion is the cost
now less than the cost of hiring two additional software engineers. of employment of a software engineer, which we calculate as
follows.
Index Terms—Bug bounty programs, vulnerability disclosure,
software security The average salary for a London-based software engineer is
£41,700 [10], which is equivalent to $51,708 (exchange rate £1
I. I NTRODUCTION to $1.24, as of 17th of July 2019). Of course, the hiring process
An increasingly popular approach to identifying vulnerabil- has additional initial costs when new staff are employed —
ities in software is to offer rewards to security researchers that Blatter et al. estimated the cost of hiring new skilled workers
are external to an organisation (‘hackers’) to find and disclose to be equivalent to 10–17 weeks salary [11]. This puts the
vulnerabilities [1]. This approach is now seeing adoption in total cost of hiring an additional software engineer between
areas such as e-voting systems, government systems and self- $61,652 and $68,613 for the first year. Therefore, an average
driving cars [2]–[4]. value of $65,133 will be used to represent the cost of hiring
As an example. the Swiss government launched a program an additional software engineer throughout this paper.
offering e132,000 for hackers to find vulnerabilities in an e- II. BACKGROUND AND M OTIVATION
voting system. Rewards of up to e44,000 were made available A. Background
to hackers who discovered undetectable ways of manipulating
votes [2]. As another example, the US Department of Defense Vulnerability management aims to improve the security of a
(DoD) launched the ‘Hack the Pentagon’ pilot program in system through the identification, remediation and mitigation
April 2016, with the aim of assessing the benefit of opening of software vulnerabilities [12]. The latest version of the
up vulnerability discovery to hackers. Within six hours 138 Building Security in Maturity Model (BSIMM9) identifies the
vulnerabilities were found and reported [5]. The success of the operation of bug bounty programs (CMVM3.4) as a mature
program has led to the DoD introducing a new vulnerability activity that addresses the need for vulnerability manage-
disclosure policy, opening up new domains to hackers [3], ment [13]. Bug bounty programs are being integrated into
[6]. There have also been suggestions for US government secure software development lifecycle (SDLC) frameworks to
departments to participate in searches for vulnerabilities in aid security teams in the release and maintenance phases [14].
open-source projects [7]. Many large organisations (including Google, Facebook and
The formal exchange of information in this context is Microsoft) host their own bug bounty and vulnerability re-
typically facilitated by a bug bounty platform. The number wards programs [15]–[17]. Many smaller organisations choose
of new bug bounty programs available on platforms such to use bug bounty platforms such as HackerOne, BugCrowd
as HackerOne1 has increased year-on-year since 2013 [8], and Cobalt to advertise their programs [18]–[20]. HackerOne
with 50 new organisations launching a program in 2018. This offers a range of both free and paid for services to organisa-
increase is illustrated in Table I. tions wishing to run a bug bounty program. Free hosting allows
As of January 2019, the top 25 companies using HackerOne organisations to advertise their program to hackers, with only
have used the platform to obtain reports for over 19,000 vul- a 5% surcharge on any bounty payouts. Monetisation of the
nerabilities, at an average of 0.71 vulnerabilities reported for platform comes in the form of live-support and the operation of
a fully managed program — allowing for organisations without
1 https://www.hackerone.com experience to benefit from the operation of a bug bounty
TABLE I is recommended by the authors to include economic models
N UMBER OF NEW PROGRAMS ON H ACKERO NE FROM 2013 TO 2019 to identify phases during the operation of a program which,
Year New programs in part, motivates the present contribution.
2013–2014 11 A similar study by Zhao et al. analyses web vulnerability
2014–2015 26
2015–2016 33
reports on the Wooyun and HackerOne bug bounty plat-
2016–2017 37 forms [30]. Wooyun served as the predominant platform in
2017–2018 43 China from 2010 until being shut down in 2016 [31]. Analysis
2018–2019 50
of vulnerability reports is used to determine the number of
white hat hackers participating in the search for vulnerabil-
ities. HackerOne is shown to have a consistent growth of
program. One benefit offered by platforms is the increased
approximately 75 new hackers each month from 2014 to 2015.
visibility of programs, allowing for a large number of secu-
Wooyun received almost 200 hackers each month; however,
rity researchers to search for vulnerabilities [21]. Raymond
as most of the programs do not give rewards, there is little
argued that increasing the number of people searching for
incentive to participate. An interesting observation is that
vulnerabilities is beneficial with regards to minimising the
over half of all hackers have only submitted one report; the
number of vulnerabilities: “Given enough eyeballs, all bugs
top 100 have an average of 147 submissions per person.
are shallow” [22].
Basic economic analysis by the authors shows that offering
White hat hackers are independent security researchers
a monetary reward attracts more hackers than non-monetary
that are authorised by an organisation to identify security
rewards or acknowledgements in a hall of fame.
vulnerabilities in hardware, software or networks [23]. They
Unfortunately, [30] does not look into the use of the delayed
must comply with the ‘rules of engagement’ set out by an
full disclosure policy used by Wooyun. This controversial pol-
organisation to prevent misuse or intrusion into areas that are
icy can be used to force an organisation to fix vulnerabilities
out of scope [24]. Kranenbarg et al. recommend that new
more quickly. However, the policy creates conflict between
hackers should be taught about the rules around vulnerability
organisations and hackers, which is one of the contributing
disclosure as to avoid accident misuse [25].
factors that led to the shutdown of Wooyun in 2016, with
A benefit to these ethical hackers is the lucrative rewards
several members being arrested [32].
that can be paid out after being the first to discover and
document a critical vulnerability, with the highest single
C. Motivation
payout (at the time of writing) standing at $100,000 [26].
This also legitimises the work of many hackers who might Since the 2015 study by Zhao et al. [30], the number of
otherwise sell the vulnerability reports on cybercrime markets programs available on HackerOne has almost tripled from
for a similar price [27]. This crowdsourced approach to 82 to 212 [18]. In the last two years, an additional 2289
security brings together hackers from many backgrounds and rewarded reports have been disclosed on the Chromium bug
disciplines, resulting in a wide range of approaches to finding tracker — up from 501 in the years 2010 to 2013 [9], [33].
vulnerabilities that might not otherwise be achieved by an This significant increase in publicly available data gives strong
organisation’s security team [28], [29]. motivation to verify the hypotheses presented in the previous
two studies. For the oldest programs on HackerOne, six years
B. Related work of disclosure data is available. A temporal study can be
Finifter et al. considered the vulnerability reward programs conducted investigating the frequency and severity of reports
offered by Google and Mozilla for the Chrome and Fire- over time. This allows for the long term impact of operating
fox web browsers [9]. Vulnerability reports over three years a bug bounty program to be assessed and compared to the
(2010–2013) were analysed to find the payouts, severity and impact of hiring additional security researchers.
frequency at which reports are submitted. Comparing the two The creation of new economic models for bug bounty pro-
programs shows that Google has fixed three times as many grams has the potential to be useful to organisations wanting to
vulnerabilities identified by hackers than Mozilla. According set up a new program or maintain an existing one. Such models
to Finifter et al. this is due to a larger number of white hat could be used to determine the optimal rewards structure over
hackers (when compared to the Google program) taking part the lifetime of a program to attract the largest number of
in the program, as well as a broader reward structure [9]. hackers.
The daily cost to operate each program is reported as $485 The question Is it beneficial for a company to make use of
for Google and $658 for Mozilla; over the course of a year, bug bounty programs, instead of hiring additional software
the total cost is $177,025 ($485 × 365 days) and $240,170 engineers? is addressed at least in part by answering the
($658 × 365 days). This is broadly comparable to the salary following subsidiary questions:
of three or four additional software engineers, with the current 1) What is the expected cost per year of operating a bug
average salary of a software engineer being $65,133. The bounty program, and what results can be expected?
authors argue that it is economically viable to run bug bounty 2) What is the expected benefit per year?
programs instead of hiring additional researchers. Further work 3) How does the program activity vary across its lifetime?
4) Does the promise of higher bounty payouts result in an TABLE II
increased number of vulnerabilities being reported? S UMMARY OF INFORMATION COLLECTED FROM H ACKERO NE AND
B UG C ROWD
The motivation for Question 1 is to quantify the cost to
an organisation of running a program. This running cost can HackerOne BugCrowd
Programs 212 99
be directly compared to the average cost of hiring a software Reports 5,832 Not available
engineer (which, as discussed, we have estimated at $65,133). User data 100 92
If companies are to make use of bug bounty programs, the
cost of operating a program should be less than the cost of
hiring security researchers, while yielding a similar number
of vulnerabilities found per year. The benefit of operating a
bug bounty program is explored in Question 2. Question 3
considers the long-term effect of operating a program. Under-
standing how the rate of vulnerability discovery changes over
time allows for the long-term costs of operating a program
to be estimated. Finally, Question 4 considers the program
rewards structure and the effect this has on hacker productivity.
A company will want to keep the operating costs low and
the rate of vulnerability discovery high. Investigating the link
between bounty payouts and rate of vulnerability discovery
allows for an optimal rewards structure to be proposed.
III. DATA
HackerOne and BugCrowd were chosen because of the large
quantity of publicly available data on their platforms. They Fig. 1. Histogram of the cost per day to operate a bug bounty program.
are also the two most searched for bug bounty platforms [34].
Synack also provides a platform that is growing in popularity;
however, there is currently no public data provided [35]. IV. R ESULTS
The lack of publicly available data and poor transparency This section presents results that help answer the questions
in many programs is an issue that inevitably limits current introduced in Section II-C. Results pertaining to Question 1 are
research [36], [37]. Increased transparency may benefit both presented in Sections IV-A and IV-B. Questions 2 and 3 are ex-
hackers and organisations wishing to learn about uncommon plored in Sections IV-C and IV-D respectively. The remaining
vulnerabilities that might be found [38]. subsections give consideration to additional interesting data
For HackerOne, all of the program data available on the di- collected from HackerOne and BugCrowd.
rectory was collected. The data for each program was: program
launch date, number of reports resolved, minimum bounty, and A. What is the expected cost per year of operating a bug
the average bounty. The Hacktivity section provides informa- bounty program?
tion on the latest reports submitted. Each entry contains the The total cost to run each program is given on HackerOne’s
username of the hacker that submitted the report and the time directory. Taking this figure and dividing it by the total number
of submission. Additional information is sometimes displayed, of days since the program was launched gives the average daily
which includes: a description of the vulnerability, severity running cost for each program.
level, and the bounty awarded. Every entry in this section was The average daily cost of operating a bug bounty program
collected. is $230, with a 95% confidence interval (CI) of [$126, $334].
The leaderboard provides information on the top 100 hack- This gives an average yearly cost of $83,950 ($230 × 365
ers: reputation is used as a measured of number of valid reports days). This is more than the $65,133 required to hire each
submitted, signal is the average reputation per report, and additional software engineer.
impact is the average reputation per bounty. This information The daily cost of operating each program is displayed in
was collected for user analysis. Figure 1. This shows that a large proportion of programs have
Program data was also collected from BugCrowd; this an operating cost of $250 per day or less. There are several
information was not as extensive as the HackerOne directory. outliers found on HackerOne; we consider these below.
For each program, the number of vulnerabilities discovered • PayPal launched a program in August of 2018 and has
and the average payout was collected. BugCrowd provides paid out over $700,000 to date. The high operating cost
detailed user performance statistics for each hacker. This data of $3,766 per day is due to the large number of critical
was collected for users with the highest number of points in vulnerabilities reported; these pay out up to $23,000 each.
a program’s Hall of Fame. • The newest available program was Postmates, and within
All data was collected from December 2018 to January one week after launch they had already spent $26,124 to
2019. A summary of all data collected is shown in Table II. find 75 vulnerabilities. The daily cost was $3,732; this
TABLE III
C ONVERSION FROM CVSS 3.0 SCORE TO SEVERITY RATING .
TABLE IV
S EVERITY OF THE MOST RECENT 3,000 DISCLOSED REPORTS ON
H ACKERO NE , ALONG WITH AVERAGE PAYOUTS .
Fig. 4. Cumulative number of reports for six programs over the first 100
days.