Working Paper: CEPR ID: DP17443
Authors: Aviram Zrahia; Neil Gandal; Sarit Markovich; Michael Riordan
Abstract: In this paper, we first provide background on the "nuts and bolts" of a bug bounty platform a two-sided marketplacethat connects firms and individual security researchers ("ethical" hackers) to find and be rewarded for discovering softwarevulnerabilities. We then empirically examine the effect of an exogenous external shock (Covid-19) on Bugcrowd, one of the twolargest "two-sided" bug bounty platforms. The shock reduced the opportunity set for many security researchers who either losttheir jobs or were placed on a leave of absence. We show that the exogenous shock led to a huge rightward (downward) shiftin the supply curve and to an increase both in the number of submissions and new researchers on the platform. The resultssuggest that had there been a larger increase in number of firms with bug bounty programs on the platform, many more uniquesoftware vulnerabilities would have been discovered. We quantify the benefits to the platform from the exogenous shock whichenables us to shed light on the benefits associated with the gig economy.
Keywords: bug bounty programs; platform; covid-19
JEL Codes: No JEL codes provided
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| COVID-19 pandemic (H12) | increase in number of active researchers (O39) |
| COVID-19 pandemic (H12) | increase in submissions (C01) |
| reduction in opportunity set for researchers (D80) | rightward shift in supply curve (D39) |
| rightward shift in supply curve (D39) | increase in number of submissions (C01) |
| rightward shift in supply curve (D39) | increase in number of new researchers (O39) |
| increase in submissions (C01) | increase in unique vulnerabilities discovered (K24) |
| number of firms participating (L11) | number of unique vulnerabilities discovered (Y40) |