Understanding the Heterogeneity of Contributors in Bug Bounty Programs

TL;DR

This study investigates the diverse characteristics and motivations of contributors in bug bounty programs through analysis of 82 programs and surveys, revealing heterogeneity that can inform improvements and future research.

Contribution

It provides the first comprehensive analysis of contributor heterogeneity in bug bounty programs, combining empirical data and surveys to uncover different contributor types and motivations.

Findings

Existence of project-specific and non-specific contributors

Contributors have varied motivations for participation

Insights can improve bug bounty program effectiveness

Abstract

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.