The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs

In recent years, bug-bounty programs have garnered popularity and became a significant part of the security culture of many organizations. Bug-bounty programs enable these organizations to improve their security posture by harnessing the outside perspective of a diverse crowd of security experts (bug hunters). However, bug-bounty programs also suffer from inefficiencies, such as duplicate and invalid bug reports, which are resource consuming for organizations and bug hunters alike. To address these issues, it is crucial to understand how bug hunters make decisions, what motivates them, and what challenges they face. We present the results of an initial survey conducted among bug hunters to address these questions. We recruited 56 security experts who participate in bug-bounty programs to answer open-ended questions regarding various aspects of their participation in bug-bounty programs. Their responses provide a detailed overview of the motivations of security experts and the challenges that they face.