Systems and blockchains often have security vulnerabilities and can be attacked by adversaries, with potentially significant negative consequences. Therefore, organizations and blockchain infrastructure providers increasingly rely on bug bounty programs, where external individuals probe the system and report any vulnerabilities (bugs) in exchange for monetary rewards (bounty). We develop a contest model for bug bounty programs with an arbitrary number of agents who decide whether to undertake a costly search for bugs or not. Search costs are private information. Besides characterizing the ensuing equilibria, we show that even inviting an unlimited crowd does not guarantee that bugs are found. Adding paid agents can increase the efficiency of the bug bounty scheme although the crowd that is attracted becomes smaller. Finally, adding (known) bugs increases the likelihood that unknown bugs are found, but to limit reward payments it may be optimal to add them only with some probability.

翻译：系统和区块链通常存在安全漏洞，可能遭受攻击者攻击，从而产生严重的负面影响。因此，组织和区块链基础设施提供商越来越依赖漏洞赏金计划，即外部人员对系统进行探测并报告任何漏洞（bug），以换取金钱奖励（赏金）。我们针对漏洞赏金计划构建了一个竞赛模型，其中涉及任意数量的代理人，他们决定是否进行成本高昂的漏洞搜索。搜索成本属于私人信息。除了刻画随之而来的均衡状态外，我们还表明，即使邀请不限数量的群体，也无法保证漏洞能被发现。增加付费代理人可以提高漏洞赏金方案的效率，尽管被吸引的群体规模会变小。最后，增加（已知）漏洞会提高未知漏洞被发现的可能性，但为了限制奖励支出，可能最优的做法是仅以一定概率添加它们。