{"id":"https://openalex.org/W3137870677","doi":"https://doi.org/10.1093/cybsec/tyab007","title":"Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties","display_name":"Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties","publication_year":2021,"publication_date":"2021-01-01","ids":{"openalex":"https://openalex.org/W3137870677","doi":"https://doi.org/10.1093/cybsec/tyab007","mag":"3137870677"},"language":"en","primary_location":{"id":"doi:10.1093/cybsec/tyab007","is_oa":true,"landing_page_url":"https://doi.org/10.1093/cybsec/tyab007","pdf_url":"https://academic.oup.com/cybersecurity/article-pdf/7/1/tyab007/36578302/tyab007.pdf","source":{"id":"https://openalex.org/S2735156331","display_name":"Journal of Cybersecurity","issn_l":"2057-2085","issn":["2057-2085","2057-2093"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310311648","host_organization_name":"Oxford University Press","host_organization_lineage":["https://openalex.org/P4310311648","https://openalex.org/P4310311647"],"host_organization_lineage_names":["Oxford University Press","University of Oxford"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://academic.oup.com/cybersecurity/article-pdf/7/1/tyab007/36578302/tyab007.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5088494351","display_name":"Kiran Sridhar","orcid":"https://orcid.org/0000-0003-1353-248X"},"institutions":[{"id":"https://openalex.org/I97018004","display_name":"Stanford University","ror":"https://ror.org/00f54p054","country_code":"US","type":"education","lineage":["https://openalex.org/I97018004"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Kiran Sridhar","raw_affiliation_strings":["Stanford University; Operations and Technology Management, University of Cambridge, CA 94103"],"raw_orcid":"https://orcid.org/0000-0003-1353-248X","affiliations":[{"raw_affiliation_string":"Stanford University; Operations and Technology Management, University of Cambridge, CA 94103","institution_ids":["https://openalex.org/I97018004"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087204633","display_name":"Ming Ng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ming Ng","raw_affiliation_strings":["Department of Data Science, HackerOne, San Francisco, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Data Science, HackerOne, San Francisco, USA","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5088494351"],"corresponding_institution_ids":["https://openalex.org/I97018004"],"apc_list":{"value":1864,"currency":"USD","value_usd":1864},"apc_paid":{"value":1864,"currency":"USD","value_usd":1864},"fwci":4.1594,"has_fulltext":false,"cited_by_count":20,"citation_normalized_percentile":{"value":0.94009767,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":"7","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.9943000078201294,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.9943000078201294,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11437","display_name":"Digital Platforms and Economics","score":0.9822999835014343,"subfield":{"id":"https://openalex.org/subfields/1408","display_name":"Strategy and Management"},"field":{"id":"https://openalex.org/fields/14","display_name":"Business, Management and Accounting"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10270","display_name":"Blockchain Technology Applications and Security","score":0.9739000201225281,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ceteris-paribus","display_name":"Ceteris paribus","score":0.7333518862724304},{"id":"https://openalex.org/keywords/hacker","display_name":"Hacker","score":0.7290064692497253},{"id":"https://openalex.org/keywords/endogeneity","display_name":"Endogeneity","score":0.6883262395858765},{"id":"https://openalex.org/keywords/revenue","display_name":"Revenue","score":0.6379363536834717},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.500108003616333},{"id":"https://openalex.org/keywords/payroll","display_name":"Payroll","score":0.4248397946357727},{"id":"https://openalex.org/keywords/phone","display_name":"Phone","score":0.41889768838882446},{"id":"https://openalex.org/keywords/economics","display_name":"Economics","score":0.3616238236427307},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3571312427520752},{"id":"https://openalex.org/keywords/actuarial-science","display_name":"Actuarial science","score":0.3295556306838989},{"id":"https://openalex.org/keywords/finance","display_name":"Finance","score":0.25743842124938965},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.22930559515953064},{"id":"https://openalex.org/keywords/accounting","display_name":"Accounting","score":0.1950291395187378},{"id":"https://openalex.org/keywords/microeconomics","display_name":"Microeconomics","score":0.14672818779945374},{"id":"https://openalex.org/keywords/econometrics","display_name":"Econometrics","score":0.1371707320213318}],"concepts":[{"id":"https://openalex.org/C138090074","wikidata":"https://www.wikidata.org/wiki/Q572079","display_name":"Ceteris paribus","level":2,"score":0.7333518862724304},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.7290064692497253},{"id":"https://openalex.org/C610760","wikidata":"https://www.wikidata.org/wiki/Q1340706","display_name":"Endogeneity","level":2,"score":0.6883262395858765},{"id":"https://openalex.org/C195487862","wikidata":"https://www.wikidata.org/wiki/Q850210","display_name":"Revenue","level":2,"score":0.6379363536834717},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.500108003616333},{"id":"https://openalex.org/C2778873167","wikidata":"https://www.wikidata.org/wiki/Q59434791","display_name":"Payroll","level":2,"score":0.4248397946357727},{"id":"https://openalex.org/C2778707766","wikidata":"https://www.wikidata.org/wiki/Q202064","display_name":"Phone","level":2,"score":0.41889768838882446},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.3616238236427307},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3571312427520752},{"id":"https://openalex.org/C162118730","wikidata":"https://www.wikidata.org/wiki/Q1128453","display_name":"Actuarial science","level":1,"score":0.3295556306838989},{"id":"https://openalex.org/C10138342","wikidata":"https://www.wikidata.org/wiki/Q43015","display_name":"Finance","level":1,"score":0.25743842124938965},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.22930559515953064},{"id":"https://openalex.org/C121955636","wikidata":"https://www.wikidata.org/wiki/Q4116214","display_name":"Accounting","level":1,"score":0.1950291395187378},{"id":"https://openalex.org/C175444787","wikidata":"https://www.wikidata.org/wiki/Q39072","display_name":"Microeconomics","level":1,"score":0.14672818779945374},{"id":"https://openalex.org/C149782125","wikidata":"https://www.wikidata.org/wiki/Q160039","display_name":"Econometrics","level":1,"score":0.1371707320213318},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1093/cybsec/tyab007","is_oa":true,"landing_page_url":"https://doi.org/10.1093/cybsec/tyab007","pdf_url":"https://academic.oup.com/cybersecurity/article-pdf/7/1/tyab007/36578302/tyab007.pdf","source":{"id":"https://openalex.org/S2735156331","display_name":"Journal of Cybersecurity","issn_l":"2057-2085","issn":["2057-2085","2057-2093"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310311648","host_organization_name":"Oxford University Press","host_organization_lineage":["https://openalex.org/P4310311648","https://openalex.org/P4310311647"],"host_organization_lineage_names":["Oxford University Press","University of Oxford"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1093/cybsec/tyab007","is_oa":true,"landing_page_url":"https://doi.org/10.1093/cybsec/tyab007","pdf_url":"https://academic.oup.com/cybersecurity/article-pdf/7/1/tyab007/36578302/tyab007.pdf","source":{"id":"https://openalex.org/S2735156331","display_name":"Journal of Cybersecurity","issn_l":"2057-2085","issn":["2057-2085","2057-2093"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310311648","host_organization_name":"Oxford University Press","host_organization_lineage":["https://openalex.org/P4310311648","https://openalex.org/P4310311647"],"host_organization_lineage_names":["Oxford University Press","University of Oxford"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Cybersecurity","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W622223666","https://openalex.org/W1482904086","https://openalex.org/W1600918568","https://openalex.org/W1964827075","https://openalex.org/W2003891044","https://openalex.org/W2008626182","https://openalex.org/W2025674494","https://openalex.org/W2043811931","https://openalex.org/W2045357062","https://openalex.org/W2074358310","https://openalex.org/W2105285600","https://openalex.org/W2113898792","https://openalex.org/W2122301719","https://openalex.org/W2159610968","https://openalex.org/W2168076780","https://openalex.org/W2178583389","https://openalex.org/W2295069226","https://openalex.org/W2513442265","https://openalex.org/W2766541654","https://openalex.org/W2894552767","https://openalex.org/W3004040842","https://openalex.org/W3022734214","https://openalex.org/W4213379127"],"related_works":["https://openalex.org/W2329713064","https://openalex.org/W2122323138","https://openalex.org/W1884735238","https://openalex.org/W2152209674","https://openalex.org/W1583825119","https://openalex.org/W2091369959","https://openalex.org/W2091778562","https://openalex.org/W4244690016","https://openalex.org/W2220912222","https://openalex.org/W218106797"],"abstract_inverted_index":{"Abstract":[0],"We":[1,178],"ran":[2],"a":[3,33,50,73,95,110,118],"study":[4],"of":[5,38,63,76,78,134,156,193],"bug":[6,104],"bounties,":[7],"programs":[8,202],"where":[9],"gig":[10],"economy":[11],"security":[12,45,115,136],"researchers":[13,71],"are":[14,32,89,154,170],"compensated":[15],"for":[16,36,67,232],"pinpointing":[17],"and":[18,54,81,121,151,211],"explaining":[19],"vulnerabilities":[20,137],"in":[21,147,164],"company":[22,96],"code":[23,229],"bases.":[24],"Bug":[25],"bounty":[26],"advocates":[27],"have":[28,72,109,126],"argued":[29],"that":[30,87,145,183,195,201],"they":[31,88,108,208],"cost-effective":[34],"means":[35],"companies":[37,146,163,185],"all":[39],"types":[40],"to":[41,59,100,113,215],"shore":[42],"up":[43],"their":[44],"posture.":[46],"Our":[47],"research\u2014which":[48],"analyzes":[49],"large,":[51],"proprietary":[52],"dataset":[53],"which":[55],"leverages":[56],"instrumental":[57],"variables":[58],"eliminate":[60],"potential":[61],"sources":[62],"endogeneity\u2014provides":[64],"empirical":[65],"support":[66],"this":[68],"assertion.":[69],"Security":[70],"price":[74],"elasticity":[75],"supply":[77],"between":[79],"0.1":[80],"0.2":[82],"at":[83,174],"the":[84,132,148,175,187,191,225,228],"median,":[85],"indicating":[86],"largely":[90],"motivated":[91],"by":[92],"non-pecuniary":[93],"factors;":[94],"is":[97],"still":[98],"able":[99],"derive":[101],"utility":[102],"from":[103],"bounties":[105],"even":[106],"if":[107,224],"limited":[111],"ability":[112],"pay":[114],"researchers.":[116],"Moreover,":[117],"company\u2019s":[119],"revenue":[120],"brand":[122],"profile":[123],"do":[124],"not":[125,171],"an":[127],"economically":[128],"significant":[129,173],"impact":[130],"on":[131],"number":[133,192],"valid":[135,158,205],"reports":[138,194,206],"its":[139],"program":[140,226],"receives.":[141],"However,":[142],"we":[143,199],"found":[144,180],"finance,":[149],"retail,":[150],"healthcare":[152],"sectors":[153],"notified":[155],"fewer":[157,204],"vulnerabilities,":[159],"ceteris":[160],"paribus,":[161],"than":[162],"other":[165],"sectors,":[166],"though":[167],"these":[168],"estimates":[169],"statistically":[172],"5%":[176],"level.":[177],"also":[179],"no":[181],"evidence":[182],"new":[184],"joining":[186],"HackerOne":[188],"platform":[189],"dampen":[190],"firms":[196],"receive.":[197],"Finally,":[198],"find":[200],"receive":[203],"as":[207],"grow":[209],"older":[210],"bugs":[212],"become":[213],"harder":[214],"find.":[216],"This":[217],"negative":[218],"age":[219],"effect":[220],"may":[221],"be":[222],"dampened":[223],"increases":[227],"base":[230],"available":[231],"hacking.":[233]},"counts_by_year":[{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":9},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":3},{"year":2021,"cited_by_count":1}],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2025-10-10T00:00:00"}