It is now widely acknowledged that information security is not just a technical issue, but also heavily influenced by economic and policy factors. This three-study thesis examines the economics of bug bounty programs and hacker marketplaces. In a bug bounty program, a firm offers a reward (the bug bounty reward) to attract the public to submit vulnerabilities that could otherwise be exploited to harm its system. In the first study, I develop an economic model that characterizes the incentives of the offering firm and hackers who can either exploit or report a vulnerability finding. I find that bug bounty programs mainly benefit firms that (1) have low in-house efficiency in finding vulnerabilities or (2) face many coopetitive hackers, allowing firms to enjoy two benefits: attack diversi...[ Read more ]

It is now widely acknowledged that information security is not just a technical issue, but also heavily influenced by economic and policy factors. This three-study thesis examines the economics of bug bounty programs and hacker marketplaces. In a bug bounty program, a firm offers a reward (the bug bounty reward) to attract the public to submit vulnerabilities that could otherwise be exploited to harm its system. In the first study, I develop an economic model that characterizes the incentives of the offering firm and hackers who can either exploit or report a vulnerability finding. I find that bug bounty programs mainly benefit firms that (1) have low in-house efficiency in finding vulnerabilities or (2) face many coopetitive hackers, allowing firms to enjoy two benefits: attack diversion and protection delegation. Although bug bounty programs lead firms to reduce in-house protection, firms optimally retain sufficient in-house protection to keep their systems more secure. In the second study, I use a specific bug bounty program, Internet Bug Bounty, as a natural experiment to empirically study the unintended consequence of information security crowdsourcing. I find that incentivizing crowd contributors can disincentivize in-house contributors due to increased competition from crowd contributors and decreased opportunities for inter-task learning. In the third study, I empirically study the efficiency of hacker marketplaces through the lens of the spillover effect of sellers' negative reputation. I find that negative feedback in hacker marketplaces generates a spillover effect that reduces sales for sellers who offer similar products but do not receive negative feedback. Social networking activities among hackers help mitigate this negative spillover effect. Overall, these studies offer important implications for researchers and practitioners in the areas of crowdsourcing, information security investment, and regulation of hacker marketplaces.