Although researchers have characterised the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters’ motivating factors, challenges, and overall benefits. We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor’s importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning a reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bug-bounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilised market.

About the speaker

Omer Akgul

PhD Student at University of Maryland

Omer Akgul is a Computer Science PhD student at the University of Maryland, College Park. Advised by Michelle Mazurek, he is a member of the SP2, MC2, and HCIL research groups. Omer’s research addresses critical human factors in security and privacy issues, focusing on the perspectives of both end-users and security and privacy professionals. His work has been recognised with a distinguished paper award (USENIX Security 2023) and regularly appears in prominent security and privacy venues.
Read more …