The Benefits of Vulnerability Discovery and Bug Bounty Programs
Published:
📌 Key Contributions
- Conducted an extensive empirical analysis of vulnerability reports from the Chromium Vulnerability Reward Programs (VRPs).
- Demonstrated that vulnerabilities in stable releases are harder to discover than those in development versions, offering evidence for the security benefits of VRPs.
- Showed that bug-bounty programs complement internal expertise and provide unique benefits by capturing a broader diversity of vulnerability types.
- Offered actionable insights for improving the effectiveness of bug-bounty programs, such as guiding bug hunters toward vulnerability types most relevant to real-world exploitation.
📝 Publication
This work is published in the Proceedings of the ACM Web Conference 2023 (WWW ‘23):
“The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox” [WWW-23].
Other relavent works: The 20th Annual Workshop on the Economics of Information Security (WEIS 2021) “On the benefits of bug bounty programs: A study of chromium vulnerabilities” [WEIS21]