Software vulnerabilities enable exploitation by malicious hackers, compromising systems and data security. This paper examines bug bounty programs (BBPs) that incentivize ethical hackers to discover and responsibly disclose vulnerabilities to software vendors. Using game-theoretic models, we capture the strategic interactions between software vendors, ethical hackers, and malicious hackers. First, our analysis shows that software vendors can increase expected profits by participating in BBPs, explaining their growing adoption and the success of BBP platforms. Second, we find that vendors with BBPs will release software earlier, albeit with more potential vulnerabilities, as BBPs enable coordinated vulnerability disclosure and mitigation. Third, the optimal number of ethical hackers to invite to a BBP depends solely on the expected number of malicious hackers seeking exploitation. This optimal number of ethical hackers is lower than but increases with the expected malicious hacker count. Finally, higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers. These findings highlight BBPs' potential benefits for vendors beyond profitability. Earlier software releases are enabled by managing risks through coordinated disclosure. As cybersecurity threats evolve, BBP adoption will likely gain momentum, providing vendors with a valuable tool for enhancing security posture and stakeholder trust. Moreover, BBPs envelop vulnerability identification and disclosure into new market relationships and transactions, impacting software vendors' incentives regarding product security choices like release timing.

翻译：软件漏洞使恶意黑客能够利用其进行攻击，从而危及系统和数据安全。本文研究了一种激励白帽黑客发现并向软件供应商负责任的披露漏洞的漏洞赏金计划（BBPs）。通过使用博弈论模型，我们捕捉了软件供应商、白帽黑客和恶意黑客之间的战略互动。首先，我们的分析表明，软件供应商可以通过参与BBPs提高预期利润，这解释了其日益广泛的采用以及BBP平台的成功。其次，我们发现拥有BBPs的供应商会更早发布软件，尽管可能带有更多潜在漏洞，因为BBPs实现了协调漏洞披露和缓解。第三，邀请加入BBP的最佳白帽黑客数量仅取决于预期寻求利用漏洞的恶意黑客数量。这个最佳白帽黑客数量低于但随预期的恶意黑客数量增加而增加。最后，更高的赏金激励白帽黑客付出更多努力，从而增加他们首先发现严重漏洞的概率，同时降低恶意黑客的成功概率。这些发现强调了BBPs对供应商的潜在益处，远超盈利性。通过协调披露管理风险，可以支持更早的软件发布。随着网络安全威胁的演变，BBPs的采用可能会获得更多关注，为供应商提供了一个增强安全态势和利益相关者信任的宝贵工具。此外，BBPs将漏洞识别和披露纳入新的市场关系和交易中，影响软件供应商在发布时间等产品安全选择上的激励。