Bug Bounties: Between New Regulations and Geopolitical Dynamics

Abstract

Crowdsourced security and vulnerability co-ordination platforms, such as Bugcrowd or HackerOne, reward individuals for discovering, reporting, and responsibly disclosing software bugs. A growing number of vendors are turning towards these platforms to improve their product’s security, whilst others set up their own bug bounty programs (BBPs) alongside more traditional approaches, such as in-house testing and professional security reviews. Whether providing a supplementary or even alternative path to organisational cybersecurity, these newer approaches go beyond increasing product security, for example by fostering co-operation between various actors or providing a clear incentive to remain on the ethical side of security research. Whilst some research centres on the reward structures, actor motivations, or effectiveness, the wider impact on peace and stability in cyberspace is rarely examined. Similarly, rarely is light shed on emerging regulatory or policy approaches, or the effects this might have. To fill these gaps, the paper will use Global Public Goods (GPGs) theory to example BBPs across two case studies. Whereas the novel Chinese regulations push towards more national sovereignty in cyberspace, the European Union invests in the compensation of BBP under-provision among open source software (OSS). These regulatory changes in China and endeavours by the European Union, respectively, reveal that the prevalent geopolitical divisions in related topics, such as internet governance, continue to play their part. Further research on BBPs is proposed to quantitatively examine their effect on peace and stability.