Merchants of vulnerabilities: How bug bounty programs benefit software vendors
通过博弈模型分析漏洞赏金计划如何通过激励和治理渠道,将严重漏洞的首次发现从恶意黑客转向道德黑客,并提高供应商利润,同时可能促使软件更早发布。
We study how bug bounty programs (BBPs) shape software vendors’ security and release choices. Vendors invest in internal assurance before release to reduce residual vulnerabilities, and after launch they must manage vulnerability discovery, disclosure, and remediation. We develop a game-theoretic model in which a vendor chooses release timing and severity-contingent bounties, anticipating effort by ethical and malicious hackers in a winner-take-all discovery race. The model highlights two linked mechanisms: an incentive channel that shifts first discovery of severe vulnerabilities away from malicious exploitation and toward ethical reporting, and a governance channel in which coordinated disclosure changes how vulnerability information is managed while remediation is underway. We derive closed-form optimal bounties and characterize a feasibility region that sustains positive bounties and interior success probabilities. Within this region, a BBP strictly increases the vendor’s expected profit by reallocating first-discovery probability on severe vulnerabilities from malicious to ethical hackers and by converting part of severe-loss exposure into bounded, pay-for-results expenditures. For private programs, we also solve for the optimal invited set of ethical hackers and show that this optimal set is strictly smaller than the expected number of malicious attackers. Higher bounties raise ethical hackers’ effort and first-discovery probabilities but also increase program cost, and they interact with reputational (non-monetary) incentives. Finally, in the baseline model, BBP adoption conditionally reduces the marginal value of additional pre-release delay and therefore conditionally implies earlier release relative to the no-BBP benchmark. This timing result is a within-model conditional implication; its practical relevance depends on operational readiness, triage throughput, and the vendor’s ability to validate and safely deploy fixes once a valid report arrives. Managerially, BBPs should be viewed as a post-release governance layer that complements strong internal assurance rather than as a substitute for it. Policymakers can support responsible use of BBPs by encouraging timely remediation, transparent post-patch disclosure, and reporting standards that reduce information asymmetry and triage frictions.