Discussion paper

DP17443 The Simple Economics of an External Shock on a Crowdsourced "Bug Bounty Platform"

In this paper, we first provide background on the "nuts and bolts" of a bug bounty platform a two-sided marketplace
that connects firms and individual security researchers ("ethical" hackers) to find and be rewarded for discovering software
vulnerabilities. We then empirically examine the effect of an exogenous external shock (Covid-19) on Bugcrowd, one of the two
largest "two-sided" bug bounty platforms. The shock reduced the opportunity set for many security researchers who either lost
their jobs or were placed on a leave of absence. We show that the exogenous shock led to a huge rightward (downward) shift
in the supply curve and to an increase both in the number of submissions and new researchers on the platform. The results
suggest that had there been a larger increase in number of firms with bug bounty programs on the platform, many more unique
software vulnerabilities would have been discovered. We quantify the benefits to the platform from the exogenous shock which
enables us to shed light on the benefits associated with the gig economy.


Zrahia, A, N Gandal, S Markovich and M Riordan (2022), ‘DP17443 The Simple Economics of an External Shock on a Crowdsourced "Bug Bounty Platform"‘, CEPR Discussion Paper No. 17443. CEPR Press, Paris & London. https://cepr.org/publications/dp17443