The Benefits of Vulnerability Discovery and Bug Bounty Programs

📌 Key Contributions

• Collect the publicly available Chromium data set using Monorail API, Google Release Notes and Google Chrome Hall of Fame
• Perform intensive data cleaning process to identify the original reporters, duplicates issues, and time at which the issue got patched and released to public
• Convert the processed data into a simple relational database using SQLite with two tables to represent the Issues and Comments to the issues
• Conducted a comprehensive empirical analysis of Chromium Vulnerability Reward Program (VRP) reports, focusing on trends across stable and development versions
• Provided evidence that vulnerabilities in stable releases are harder to detect, validating the security impact of structured VRPs
• Demonstrated that bug-bounty programs complement internal security teams by uncovering a diverse range of vulnerability types beyond in-house detection capabilities

• Delivered actionable insights to enhance bug-bounty effectiveness, including targeted guidance for bug hunters toward vulnerabilities with higher real-world exploitation potential

📝 Publication

This work is published in the Proceedings of the ACM Web Conference 2023 (WWW ‘23):
“The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and Firefox” [WWW-23].

Other relavent works: The 20th Annual Workshop on the Economics of Information Security (WEIS 2021) “On the benefits of bug bounty programs: A study of chromium vulnerabilities” [WEIS21]