On the Benefits of Bug Bounty Programs: A Study of Chromium Vulnerabilities




Recently, bug-bounty programs have gained popularity and became a significant part of the security culture of many organizations. Bug-bounty programs enable these organizations to enhance their security posture by harnessing the diverse expertise and outside perspective of crowds of external security experts (i.e., bug hunters). However, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Beyond the inherent characteristics of a reported vulnerability (e.g., exploitability and severity), the value of a bug-bounty report also depends on the probability that the reported vulnerability would be discovered by a threat actor before an internal expert could discover and fix it. As a first step toward quantifying the benefits of bug-bounty programs, we present a data-driven study of the Chromium vulnerability reward program to determine (1) if external bug hunters discover vulnerabilities that are significantly different from ones that are discovered by internal security teams, (2) how often vulnerabilities are rediscovered and which vulnerability characteristics determine the probability of rediscovery, and (3) if bug hunters discover vulnerabilities that are significantly different from ones that are exploited by threat actors. Our key findings include that externally-reported security issues significantly differ from internally reported ones, which suggests that external bug hunters provide unique benefits by complementing internal security teams; rediscovery probabilities are non-negligible, which means that finding and patching vulnerabilities is beneficial as many vulnerabilities are easy to discover; and vulnerabilities exploited by threat actors significantly differ from issues that are reported either internally or externally, which suggests that security could be improved by shifting the focus of vulnerability-discovery efforts.