Abstract

Many software developers employ bug bounty programs that award a prize for the detection of bugs in their software. In a context of asymmetric information, we consider under what conditions a bug bounty program is beneficial for a software developer. In our model, a bug bounty program allows developers to perfectly discriminate between different types of bugs, and help to avoid reputation costs of exploited bugs. We find that the benefits of a bounty program do not only depend on the characteristics of the underlying software but also that a bounty program crucially interacts with other elements of the security strategy.