The Benefits of Vulnerability Discovery and Bug Bounty Programs

📌 Key Contributions

• Collected the publicly available Chromium dataset using the Monorail API, Google Release Notes, and Google Chrome Hall of Fame
• Performed an intensive data cleaning process to identify the original reporters, duplicate issues, and the time at which each issue was patched and released to the public
• Converted the processed data into a relational database using SQLite with two tables representing Issues and Comments
• Conducted a comprehensive empirical analysis of Chromium Vulnerability Reward Program (VRP) reports, focusing on trends across stable and development versions
• Provided evidence that vulnerabilities in stable releases are harder to detect, validating the security impact of structured VRPs
• Demonstrated that bug-bounty programs complement internal security teams by uncovering a diverse range of vulnerability types beyond in-house detection capabilities
• Delivered actionable insights to enhance bug-bounty effectiveness, including targeted guidance for bug hunters toward vulnerabilities with higher real-world exploitation potential

📝 Publication

This work is published in the Proceedings of the ACM Web Conference 2023 (WWW ‘23):
“The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox” [WWW-23].

Other relevant works: The 20th Annual Workshop on the Economics of Information Security (WEIS 2021) “On the benefits of bug bounty programs: A study of chromium vulnerabilities” [WEIS21]