Internet Policy Review (Feb 2024)
Navigating vulnerability markets and bug bounty programs: A public policy perspective
Abstract
As societies become increasingly dependent on digital means, organisations seek ways to prevent software exploitation by eliminating vulnerabilities or acquiring them as products. However, there is an ongoing debate regarding the extent to which governments should become involved in markets for vulnerability sharing. This paper examines the economics of vulnerabilities and outlines possible areas for governmental interventions. I survey three policy alternatives to support the discovery and disclosure of software vulnerabilities: integrating security and penetration testing into the software development life cycle, acquiring exploitable critical vulnerabilities by governments, and promoting bug bounty programs and platforms as vulnerability-sharing structures. For each suggested alternative, I present an impact matrix to qualitatively measure the effectiveness and efficiency of the vulnerability discovery process and the attractiveness, legality and trustworthiness of the disclosure process. I argue that bug bounty programs that bring together organisations and ethical hackers to trade vulnerabilities produce the highest impact. These gig economy structures are often based on two-sided digital market platforms as their foundation and offer a low entry barrier and assurance level for both market players. The discussion provides a foundation for governmental decision-makers to design effective policies for sharing vulnerabilities.
Keywords
