Abstract
This working paper applies institutional economics theory (North, 1990) to examine the recent developments of bug bounty programs. A software vulnerability, commonly referred to as a bug, is a security flaw in computer code. Until the bug is fixed with a software patch, it presents a security loophole and may be exploited in a cyber attack. Major software companies, among them Microsoft, Adobe, and Oracle, received considerable media attention in 2013 and 2014 for severe security issues and breaches. Some of their widely used applications were in danger of being exploited based on previously unknown code vulnerabilities. Given software companies’ incentives to fix vulnerabilities in their software, major software vendors significantly adapted their approaches in recent years by more openly incorporating externally gathered vulnerability information. Google, Microsoft, and Facebook, for instance, created structured programs where bug hunters can submit their digital prey, in exchange for a bounty. Depending on the severity and significance of a security vulnerability, the bounty price may range from a few hundred US dollars up to USD 100,000.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
