Scandinavian Working Papers in Business Administration

Discussion Papers,
Norwegian School of Economics, Department of Business and Management Science

No 2020/4: Software vulnerabilities and bug bounty programs

Carsten Bienz () and Steffen Juranek ()
Additional contact information
Carsten Bienz: Dept. of Finance, Norwegian School of Economics, Postal: NHH , Department of Finance, Helleveien 30, N-5045 Bergen, Norway
Steffen Juranek: Dept. of Business and Management Science, Norwegian School of Economics, Postal: NHH , Department of Business and Management Science, Helleveien 30, N-5045 Bergen, Norway

Abstract: Many software developers employ bug bounty programs that award a prize for the detection of bugs in their software. We analyze, in a model with asymmetric information, under which conditions a bug bounty program is beneficial for a software developer. In our model, a bug bounty program allows developers to perfectly discriminate between different types of bugs, and help to avoid reputation costs of exploited bugs. We find that the benefits of bounty program do not only depend on the characteristics of the underlying software but also that a bounty program crucially interacts with other elements of the security strategy.

Keywords: Bug bounty program; software security; information technology security; software vulnerability

JEL-codes: D82; L86; M15; M20

22 pages, May 12, 2020

Full text files

2654088 PDF-file Full text

Download statistics

Questions (including download problems) about the papers in this series should be directed to Stein Fossen ()
Report other problems with accessing this service to Sune Karlsson ().

This page generated on 2024-06-19 04:36:04.