The Benefits of Vulnerability Discovery and Bug Bounty Programs

Published:

📌 Key Contributions

  • Conducted an extensive empirical analysis of vulnerability reports from the Chromium Vulnerability Reward Programs (VRPs).
  • Demonstrated that vulnerabilities in stable releases are harder to discover than those in development versions, offering evidence for the security benefits of VRPs.
  • Showed that bug-bounty programs complement internal expertise and provide unique benefits by capturing a broader diversity of vulnerability types.
  • Offered actionable insights for improving the effectiveness of bug-bounty programs, such as guiding bug hunters toward vulnerability types most relevant to real-world exploitation.

📝 Publication

This work is published in the Proceedings of the ACM Web Conference 2023 (WWW ‘23):
“The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox” [WWW-23].

Other relavent works: The 20th Annual Workshop on the Economics of Information Security (WEIS 2021) “On the benefits of bug bounty programs: A study of chromium vulnerabilities” [WEIS21]