TY - GEN
T1 - Bug Hunters' Perspectives on the Challenges and Benefits of the Bug Bounty Ecosystem
AU - Akgul, Omer
AU - Eghtesad, Taha
AU - Elazari, Amit
AU - Gnawali, Omprakash
AU - Grossklags, Jens
AU - Mazurek, Michelle L.
AU - Votipka, Daniel
AU - Laszka, Aron
N1 - Publisher Copyright:
© USENIX Security 2023. All rights reserved.
PY - 2023
Y1 - 2023
N2 - Although researchers have characterized the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters' motivating factors, challenges, and overall benefits.We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor's importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bugbounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilized market.
AB - Although researchers have characterized the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters' motivating factors, challenges, and overall benefits.We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor's importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bugbounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilized market.
UR - http://www.scopus.com/inward/record.url?scp=85150154231&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85150154231
T3 - 32nd USENIX Security Symposium, USENIX Security 2023
SP - 2275
EP - 2291
BT - 32nd USENIX Security Symposium, USENIX Security 2023
PB - USENIX Association
T2 - 32nd USENIX Security Symposium, USENIX Security 2023
Y2 - 9 August 2023 through 11 August 2023
ER -