Researchers Find Bug Bounty Programs Pay Economic Rewards

Bug bounty programs can be as much as 100 times more cost-effective for finding security vulnerabilities than hiring full-time security researchers to do the same thing. New research from the University of California at Berkeley, which focused on bug bounty programs run by Google and Mozilla, found that each of these programs has cost the vendor about $400,000 over the course of three years, far less than it would’ve cost to hire employees to find the same number of vulnerabilities.

Bug bounty programs can be as much as 100 times more cost-effective for finding security vulnerabilities than hiring full-time security researchers to do the same thing. New research from the University of California at Berkeley, which focused on bug bounty programs run by Google and Mozilla, found that each of these programs has cost the vendor about $400,000 over the course of three years, far less than it would’ve cost to hire employees to find the same number of vulnerabilities.

Bug bounty programs have been increasing in popularity among vendors for the last few years as security researchers have shown a willingness to report their bugs directly to the vendors in return for guaranteed payouts. The prices that vendors will pay for vulnerabilities varies widely, from a few hundred dollars to tens of thousands of dollars, depending on the severity of the bug and which vendor is involved. Google tends to pay the largest rewards, often in the range of $3,000 to $5,000, and sometimes as high as $20,000. If you include the company’s Pwnium contest at security conferences, some of its rewards can reach $150,000 for serious Chrome vulnerabilities.

The rewards that Mozilla pays are smaller and they’re also fixed, whereas Google will vary its payouts based on a number of factors. Still, the the trio of Berkeley researchers found that both of the programs are effective at saving the companies money on security research and finding a high volume of vulnerabilities.

“The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identification of security vulnerabilities. The Firefox VRP has cost approximately $570,000 over the last 3 years and has yielded 190 bounties. 28% of Chrome’s patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox’s,are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers,” the paper, “An Empirical Study of Vulnerability Reward Programs”, found.

Those total dollar figures include all of the bounties paid out by the companies, including rewards for bugs in pre-release or beta versions, which the researchers did not include in their calculations of the $400,000 cost over the course of three years. They also caution that their results shouldn’t be applied to every bug bounty program and are specific to Google and Mozilla.

In their study, the researchers collected all of the vulnerabilities for which a bounty was paid and looked at the severity of each bug as well as the reward paid for it. They found that while there are a number of repeat contributors to each of the programs, reporting bugs to these programs isn’t a great way to make a living on an ongoing basis. The most successful contributors to the Google program have made a little more than $80,000 total, while the top earner for Mozilla has made $141,000 over three years. That’s good money, but it’s less than what a talented researcher can make over the same period working internally at a vendor such as Google.

“We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off. In particular, they appear to be 2-100 times more cost effective than hiring expert security researchers to find vulnerabilities. We therefore recommend that more vendors consider using them to their (and their users’) advantage,” the paper, written by Matthew Finifter, Devdatta Akhawe, and David Wagner, says.

The success of these bug bounty programs has prodded other vendors to try the same tactic. Just last month the Microsoft bug bounty program debuted, after years of company officials saying Microsoft had no need for such a reward system. Microsoft’s is a different animal, paying high rewards for techniques that bypass exploit mitigations in the newest release of Windows and lower rewards for bugs in Internet Explorer 11. The way that those programs go may help dictate whether Microsoft establishes a broader bounty program in the future.

Image from Flickr photos of Tax Credits

Suggested articles