Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities

Abstract

This paper applies institutional economics theory (North, 1990) to examine the recent developments of bug bounty programs. A software vulnerability, commonly referred to as a bug, is a flaw in computer code that is an unintended consequence of design choices or mathematical errors in models. Until the bug is fixed with a software patch, it presents a security loophole and may be exploited in a cyber attack to intrude an information system. Major software companies, among them Microsoft, Adobe, and Oracle, received considerable media attention in 2013 for severe security issues. Some of their widely used applications were in danger of being exploited based on until recently unknown code vulnerabilities. Software companies have incentives to fix bugs in their software once they are discovered. The mode and degree of responsible disclosure has been a contentious issue in the information security community. In some cases, security researchers have faced legal challenges when they shared their findings with the software vendor or released such information to the public. In recent years, major software companies significantly adapted their approach by more openly incorporating externally gathered vulnerability information. Google, Microsoft, and Facebook, for instance, created structured programs where bug hunters can submit their digital prey, in exchange for a predefined bounty. Depending on the significance and sophistication of a vulnerability, the bounty price may range from a few $100 to up to $100,000. The paper argues that bug bounty programs constitute a significant change in the way vulnerability information is systematically acquired by software vendors. Related emerging norms and practices reduce the level of uncertainty in the exchange of critical vulnerability information. The paper purports that these changes will lead to an increase in reported and fixed vulnerabilities, resulting in a more secure and reliable Internet. To examine this preposition, the paper (1) provides an analytical, historical narrative of the development of bug bounty programs and changes in related security practices (e.g., No More Free Bugs campaign, cf. Naraine, 2009); and (2) provide an in-depth institutional, comparative analysis of multiple bug bounty programs. Institutional economics (North, 1990) and its application in the Internet domain (Mueller, 2002) provide a conceptual framework for the analysis. Institutions, “the rules of the game”, constrain and standardize the economic exchange, such as transacting software vulnerabilities. They provide theoretical explanations for the formation of bug bounty programs and address crucial issues on uncertainty (e.g., determining the legality of transactions, enforcement in case of defection) A bug, as a an information good, poses peculiar challenges to transactions, and thus accounts for higher transaction costs (cf. Arrow, 1962); institutions facilitate economic exchange despite uncertainty. To some degree institutions also deal with the paradox of the impossibility to evaluate an information good without rendering its value worthless. A potential buyer would hardly acquire a bug after s/he gained the desired knowledge upon inspection. Building and extending upon earlier research on markets for software bugs in computer science and economics (e.g., Finifter, Akhawe, & Wagner, 2012; Moussouris, 2014; Ozment, 2004; Ransbotham, Mitra, & Ramsey, 2012), this paper takes a distinct institutional perspective to explain the emergence of bounty programs. The empirical, ongoing research is based on a comprehensive document analysis, using media coverage, security reports and grey literature. Its main focus is on the bug bounty programs operated by Microsoft and Facebook. As such, it makes a contribution to the larger debate on responsible disclosure of software vulnerabilities and further informs the current policy debate on the regulation of zero-day exploits.