Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). However, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on properties of the reported vulnerabilities, such as severity or exploitability. Importantly, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors.

翻译：近年来，漏洞奖励计划日益普及，并已成为众多组织安全文化的重要组成部分。该类计划通过汇聚外部安全专家（即漏洞猎手）的多元专业知识，助力组织提升安全防护能力。然而，量化漏洞奖励计划的效益始终存在困难，这对其管理构成了重大挑战。以往研究主要根据所报告漏洞的数量，或基于严重程度、可利用性等漏洞属性来衡量其价值。但关键在于，除这些固有属性外，报告的价值还取决于漏洞被威胁行为者在内部专家发现并修复前发现的可能性。本文针对Chromium和Firefox的漏洞奖励计划开展了数据驱动研究。首先，我们采用“重发现概率”这一新指标来评估漏洞发现的难度。研究结果表明，漏洞发现与修复能够显著增加威胁行为者发现漏洞的难度，从而产生明确效益；但我们也识别出改进空间，例如激励漏洞猎手更关注开发版本。其次，我们比较了内部发现与外部发现的漏洞类型，以及被威胁行为者利用的漏洞类型。我们发现外部漏洞猎手、内部安全团队与外部威胁行为者发现的漏洞之间存在显著差异。这表明漏洞奖励计划通过补充内部团队的专业知识提供了重要价值，但同时也需要进一步激励外部猎手重点关注可能被威胁行为者利用的漏洞类型。