Although researchers have characterized the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters' motivating factors, challenges, and overall benefits. We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor's importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bug-bounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilized market.

翻译：尽管研究者已从平台和项目角度刻画了漏洞奖励生态系统的特征，但鲜有研究关注其主要参与者——漏洞猎人的视角。为完善漏洞奖励机制，理解猎人的动机因素、挑战及整体收益至关重要。我们通过三项研究填补这一空白：通过自由列举调查（n=56）识别关键因素，通过大规模因素评级调查（n=159）评估各因素重要性，并通过半结构化访谈（n=24）揭示深层细节。在漏洞猎人列出的54个因素中，我们发现奖励与学习机会是最重要的收益。此外，项目范围是区分不同漏洞奖励计划的首要差异因素。令人意外的是，声誉积累竟是猎人最不重视的动机之一。在已识别的挑战中，通信问题（如响应延迟与争议）最为突出。我们提出若干建议，旨在构建更包容的漏洞奖励生态系统以吸引更多猎人，最终提升这一未充分开发市场的参与度。