scieee Science in your language
[en] (orig)

Navigating vulnerability markets and bug bounty programs: A public policy perspective

Author: Zrahia, Aviram
Publisher: Berlin: Alexander von Humboldt Institute for Internet and Society
Year: 2024
DOI: 10.14763/2024.1.1740
Source: https://www.econstor.eu/bitstream/10419/285315/1/1882772466.pdf
Z ahia, A i am
A icle
Na iga ing ulne abili y ma ke s and bug boun y
p og ams: A public policy pe spec i e
In e ne Policy Re iew
P o ided in Coope a ion wi h:
Alexande on Humbold Ins i u e o In e ne and Socie y (HIIG), Be lin
Sugges ed Ci a ion: Z ahia, A i am (2024) : Na iga ing ulne abili y ma ke s and bug boun y
p og ams: A public policy pe spec i e, In e ne Policy Re iew, ISSN 2197-6775, Alexande on
Humbold Ins i u e o In e ne and Socie y, Be lin, Vol. 13, Iss. 1, pp. 1-30,
h ps://doi.o g/10.14763/2024.1.1740
This Ve sion is a ailable a :
h ps://hdl.handle.ne /10419/285315
S anda d-Nu zungsbedingungen:
Die Dokumen e au EconS o dü en zu eigenen wissenscha lichen
Zwecken und zum P i a geb auch gespeiche und kopie we den.
Sie dü en die Dokumen e nich ü ö en liche ode komme zielle
Zwecke e iel äl igen, ö en lich auss ellen, ö en lich zugänglich
machen, e eiben ode ande wei ig nu zen.
So e n die Ve asse die Dokumen e un e Open-Con en -Lizenzen
(insbesonde e CC-Lizenzen) zu Ve ügung ges ell haben soll en,
gel en abweichend on diesen Nu zungsbedingungen die in de do
genann en Lizenz gewäh en Nu zungs ech e.
Te ms o use:
Documen s in EconS o may be sa ed and copied o you pe sonal
and schola ly pu poses.
You a e no o copy documen s o public o comme cial pu poses, o
exhibi he documen s publicly, o make hem publicly a ailable on he
in e ne , o o dis ibu e o o he wise use he documen s in public.
I he documen s ha e been made a ailable unde an Open Con en
Licence (especially C ea i e Commons Licences), you may exe cise
u he usage igh s as speci ied in he indica ed licence.
h ps://c ea i ecommons.o g/licenses/by/3.0/de/legalcode
Volume 13 |
Na iga ing ulne abili y ma ke s and bug
boun y p og ams: A public policy
pe spec i e
A i am Z ahia Tel A i Uni e si y
DOI: h ps://doi.o g/10.14763/2024.1.1740
Published: 15 Feb ua y 2024
Recei ed: 5 Oc obe 2023 Accep ed: 6 Decembe 2023
Compe ing In e es s: The au ho has decla ed ha no compe ing in e es s exis ha
ha e in luenced he ex .
Licence: This is an open-access a icle dis ibu ed unde he e ms o he C ea i e
Commons A ibu ion 3.0 License (Ge many) which pe mi s un es ic ed use,
dis ibu ion, and ep oduc ion in any medium, p o ided he o iginal wo k is p ope ly
ci ed. h ps://c ea i ecommons.o g/licenses/by/3.0/de/deed.en
Copy igh emains wi h he au ho (s).
Ci a ion: Z ahia, A. (2024). Na iga ing ulne abili y ma ke s and bug boun y p og ams:
A public policy pe spec i e. In e ne Policy Re iew, 13(1). h ps://doi.o g/10.14763/
2024.1.1740
Keywo ds: Cybe secu i y policy, Bug boun y p og ams, Economics o ulne abili ies,
Digi al ma ke , Vulne abili y sha ing
Abs ac : As socie ies become inc easingly dependen on digi al means, o ganisa ions seek ways o
p e en so wa e exploi a ion by elimina ing ulne abili ies o acqui ing hem as p oduc s.
Howe e , he e is an ongoing deba e ega ding he ex en o which go e nmen s should become
in ol ed in ma ke s o ulne abili y sha ing. This pape examines he economics o ulne abili ies
and ou lines possible a eas o go e nmen al in e en ions. I su ey h ee policy al e na i es o
suppo he disco e y and disclosu e o so wa e ulne abili ies: in eg a ing secu i y and
pene a ion es ing in o he so wa e de elopmen li e cycle, acqui ing exploi able c i ical
ulne abili ies by go e nmen s, and p omo ing bug boun y p og ams and pla o ms as
ulne abili y-sha ing s uc u es. Fo each sugges ed al e na i e, I p esen an impac ma ix o
quali a i ely measu e he e ec i eness and e iciency o he ulne abili y disco e y p ocess and he
a ac i eness, legali y and us wo hiness o he disclosu e p ocess. I a gue ha bug boun y
p og ams ha b ing oge he o ganisa ions and e hical hacke s o ade ulne abili ies p oduce he
highes impac . These gig economy s uc u es a e o en based on wo-sided digi al ma ke
pla o ms as hei ounda ion and o e a low en y ba ie and assu ance le el o bo h ma ke
playe s. The discussion p o ides a ounda ion o go e nmen al decision-make s o design e ec i e
policies o sha ing ulne abili ies.
Issue 1
1. In oduc ion
Cybe h ea s eme ge as a se e e p oblem o he global economy as socie y in-
c easingly depends on in o ma ion echnology o all i s unc ions (Wo ld Econom-
ic Fo um, 2023). The ac ions o o ende s can ha e a - eaching consequences, a -
ec ing he inancial, social and heal h well-being o indi iduals, o ganisa ions and
na ions. Consequen ly, policymake s ha e ecognised he need o p o ec ci izens
and i ms agains cybe h ea s, leading o a g owing end in designing, adop ing
and implemen ing cybe secu i y- ela ed go e nmen al policies. Acco ding o Anki
Fadia e al. (2020), mo e han 100 go e nmen s ha e de eloped na ional cybe se-
cu i y de ence s a egies, and some ha e also es ablished dedica ed Na ional Cy-
be secu i y Agencies (NCAs) o help p o ec he public agains cybe secu i y a -
acks, he , aud and abuse.1
The e a e a ious me hods ha cybe a acke s can use; howe e , exploi ing so -
wa e ulne abili ies (bugs) emains a signi ican a ack ec o (Cybe A acks S a is-
ics, n.d.). Common ways o p e en so wa e exploi a ion be o e such an a ack a -
emp is made a e elimina ing ulne abili ies du ing coding and p oac i ely dis-
co e ing and ixing hem in exis ing p oduc s and se ices. Le e aging hi d-pa y
c owd wisdom can make i easie o de ec ulne abili ies; I he ea e e e o
hese ulne abili ies as he p oduc and hei ading ac i i y as he ma ke o ul-
ne abili ies.
This a icle examines he ollowing public policy p oblem: How should go e n-
men s become in ol ed in ulne abili y-sha ing ma ke s? I u he ocus on he e-
sea ch ques ion: How can policymake s suppo disco e ing and disclosing so -
wa e ulne abili ies in sys ems, p oduc s and se ices? To add ess his ques ion, I
su ey h ee a eas o possible in e en ion. The i s , some imes called secu i y-by-
design, aims o p e en ulne abili ies in oduced du ing de elopmen by in eg a -
ing secu i y in o he so wa e de elopmen li e cycle (SDLC), and i may in ol e
pene a ion es s execu ed by in e nal o con ac o eams. The second aims o e-
duce he numbe o high-impac exploi s in he black ma ke by acqui ing highly
exploi able c i ical ulne abili ies di ec ly o h ough an in e media y en i y. The
hi d is p omo ing bug boun y p og ams and pla o ms as media ion en i ies be-
ween indi idual secu i y esea che s and i ms. The expec ed ou come o his al-
e na i e is an inc eased numbe and quali y o so wa e ulne abili ies disco e ed
by he e hical hacke communi y and disclosed o he public so ha hey can de-
1. Examples include he Na ional Cybe Secu i y Cen e (NCSC) in he UK, and he Cybe secu i y and
In as uc u e Secu i y Agency (CISA) in he US.
2 In e ne Policy Re iew 13(1) | 2024
end agains hem.
Using a simpli ied a ionalis policy analysis p ocess, I iden i y wo p ima y goals
o he p oposed al e na i es, which align wi h he esea ch ques ion. The i s
goal is o enhance he e icien disco e y o ulne abili ies in p oduc s and sys-
ems, while he second aims o suppo a legal and us wo hy ulne abili y dis-
closu e p ocess. I quali a i ely assess h ee impac ca ego ies o each goal o
e alua e he sugges ed policies be o e p esen ing he esul s in a compa a i e im-
pac ma ix. My in o med in e p e a ion indica es ha boun y p og ams and pla -
o ms a e e ec i e and ha e low ba ie s o en y o i ms and he e hical hacke
communi y.
The e o e, I ecommend inc eased go e nmen al in e en ion by p omo ing o e-
qui ing hese s uc u es based on comme cial o communi y-d i en coo dina ed
disclosu e ini ia i es. While I ha e iden i ied a p e e ed policy, i is essen ial o
no e ha he discussed op ions a e no mu ually exclusi e and can be implemen -
ed in pa allel, as acknowledged by ENISA (2023). The pape aims o p o ide a
s a ing poin o policymake s ye o engage in his a ea by lis ing possible in e -
en ion al e na i es and jus i ying addi ional in es men s o go e nmen s al eady
ac i e in he ma ke o ulne abili ies.
This a icle p oceeds as ollows: Sec ion 2 discusses he dynamics o ma ke s o
ulne abili ies and bug boun y p og ams and lis s examples o go e nmen al in-
e en ion. Sec ion 3 p esen s he policy design me hodology and highligh s some
o my conside a ions. Sec ion 4 desc ibes he p oblem de ini ion, lis s ela ed poli-
cy design issues and in oduces he e alua ed go e nmen al policies. Nex , Sec ion
5 compa es he solu ion al e na i es, hei expec ed ou comes and he associa ed
ade-o s. Finally, Sec ion 6 concludes he discussion and summa ises i s main im-
plica ions and limi a ions.
2. Backg ound: sha ing so wa e ulne abili ies
Cybe - ela ed isks a e g owing and ha e become one o he mos se e e global
economic isks he wo ld may ace o e he nex decade (Wo ld Economic Fo um,
2023). O ganisa ional s akeholde s can add ess hese isks in a ious ways, includ-
ing a oidance, accep ance, mi iga ion and ans e (Ma in-Vegue, 2021). One ap-
p oach o mi iga e he cybe isks associa ed wi h so wa e exploi a ion is o iden-
i y and add ess secu i y ulne abili ies be o e hey a e exploi ed. This app oach is
aligned wi h he “iden i y” and “p o ec ” isk mi iga ion s ages o he Cybe secu i y
F amewo k o e ed by NIST (2018). Disco e ing ulne abili ies in p oduc s and se -
3 Z ahia
ices can be assigned o he i m’s de elopmen o secu i y- es ing eams, ou -
sou ced o hi d-pa y company expe s, o delega ed o ex e nal indi idual e-
sea che s h ough bug boun y p og ams in a end ha aligns wi h he no el idea
o c owdsou cing (Akgul e al., 2020).
Re iewing go e nmen in e en ions in cybe secu i y and he backg ound and dy-
namics o he ulne abili y-sha ing p oblem domain is equi ed o unde s and his
ma ke de elopmen be e .
2.1. Go e nmen in e en ion in cybe secu i y
In ecen yea s, go e nmen s ha e es ablished agencies dedica ed o p o ec ing
hei asse s and ci izens agains cybe h ea s. This ask o en manda es de ining
new policies o egula ions. S ill, p og ess in mi iga ing cybe isks is challenging,
possibly due o con lic ing equi ies, nega i e ex e nali ies, ade-o s be ween ci il
libe ies, p i acy conce ns and mo e (Na ional Resea ch Council, 2014). The policy
al e na i es p esen ed in his pape illus a e his challenge.
Go e nmen al in e en ion in cybe secu i y is expec ed o inc ease in he coming
yea s as cybe p o ec ion becomes a egula o y obliga ion in many sec o s. Go e n-
men s may inc ease hei di ec ope a ional in ol emen in a eas conside ed na-
ional p io i ies, such as C i ical In as uc u e P o ec ion (CIP) o Compu e Eme -
gency Readiness Team (CERT).2 Consequen ly, hey can p omo e egula ions ha
will hold he p i a e sec o liable. Fo example, he US aims o shi he esponsi-
bili y and liabili y o cybe secu i y away om indi iduals, small businesses and
local go e nmen s and on o he o ganisa ions p o iding p oduc s and se ices
(The Whi e House, 2023). Simila ly, he EU p omo es in i s NIS2 Di ec i e legal
measu es on ope a o s o essen ial se ices in speci ic sec o s i hey ail o ake
app op ia e secu i y measu es o ollow inciden no i ica ion ules (Di ec i e 2022/
2555, 2022).
Go e nmen s and policymake s ha e long ecognised he impo ance o cybe secu-
i y in o ma ion sha ing as a collabo a i e e o o enhance cybe -de ence (o -ad-
e sa y) pos u e by le e aging he b oade communi y’s capabili ies, knowledge
and expe ience (Z ahia, 2018).3 The sha ed in o ma ion migh include h ea -cen-
ic indica o s/objec s, bes p ac ices and ools and a ge - ela ed da a objec s,
2. Fo example, he US’s 2013 Na ional In as uc u e P o ec ion Plan (CISA, 2013) and he Uni ed
S a es Compu e Eme gency Readiness Team (US-CERT, n.d.).
3. An indi idual hacke s opped he global WannaC y ansomwa e a ack in 2017, showcasing he
powe o he communi y (Malwa eTech, 2017).
4 In e ne Policy Re iew 13(1) | 2024

namely so wa e ulne abili ies (Libicki, 2015). This pape concen a es on he la -
e in o ma ion ype.
2.2. The economics o ulne abili ies
A so wa e ulne abili y is “a secu i y law, gli ch, o weakness ound in so wa e
code” ha an a acke could exploi (NIST-CSRC, n.d.). Iden i ying and ixing so -
wa e ulne abili ies, commonly known as he ulne abili y li e cycle, ypically be-
gins wi h he (unin en ional) c ea ion o a bug du ing he coding phase. Un o u-
na ely, an a acke may ind and exploi he ulne abili y be o e i is disclosed and
a pa ch de eloped, esul ing in a ze o-day (0-day) exploi . Howe e , once he ul-
ne abili y is de ec ed and iden i ied by he de elopmen eam o a secu i y e-
sea che , e o s a e p io i ised o c ea e and issue a so wa e pa ch o elimina e
he exposu e (Bilge & Dumi as, 2012). Ex ensi e esea ch has been conduc ed on
he ulne abili y li e cycle, including comp ehensi e o e iews by Shahzad e al.
(2012) and ca ego isa ions o p e- and pos -disclosu e isk by Rajasoo iya e al.
(2016). In addi ion, Ransbo ham e al. (2012) summa ise he p ima y pa hways o
ulne abili y disclosu e.
Vulne abili ies o sale may be conside ed a p oduc o he “knowledge economy”
c ea ed by knowledge-in ensi e ac i i ies and cha ac e ised by apid obsolescence
(Powell & Snellman, 2004, p. 199). Fu he mo e, like o he knowledge o da a ob-
jec s, ulne abili ies a e non- i al goods ha can be used by se e al pa ies con-
cu en ly. The ma ke o ulne abili ies as p oduc s can be desc ibed using mic o-
economics e minology, whe e o ganisa ions gene a e demand and secu i y p o es-
sionals supply hei expe ise and ind hem. F om a supply chain s andpoin , ind-
ing a ulne abili y may be conside ed a make-o -buy managemen decision.
Williamson (2008) ou lines h ee go e nance decisions a company may encoun e
while assessing T ansac ion Cos Economics (TCE): ma ke s, hyb ids and hie a -
chies. In ligh o his de ini ion, companies can mee he demand o ulne abili-
ies wi h hei de elopmen and secu i y pe sonnel u ilising in e nal hie a chies.
Al e na i ely, hey could use hyb id long- e m con ac ing o specialised compa-
nies o emb ace a ma ke s a egy wi h skilled indi idual secu i y esea che s wi h
no bila e al s akeholde dependency.
I emb ace he iew o Ablon & Libicki (2015) and di ide he ulne abili y ma ke
in o h ee ca ego ies: legi ima e (whi e), illegal (black) and legal bu anonymous
(g ey).4 In he whi e ma ke , buye s and selle s a e iden i ied and may legally ade
4. The e ms “whi e”, “g ey” and “black” a e he s anda d naming o hese ma ke s in he cybe wo ld.
5 Z ahia
ulne abili ies so endo s can ix hem. The unde g ound black ma ke is whe e
cybe c ime o ganisa ions buy exploi s, a ack se ices, s olen asse s and o he ille-
gal p oduc s om black-ha hacke s. The g ey ma ke acili a es he exchange o
ulne abili ies and exploi s ha migh be used o o ensi e pu poses. While his
ma ke is no illegal pe se, i ope a es in a mo al and e hical g ey a ea due o he
po en ial o ha m associa ed wi h undisclosed ulne abili ies.
The analysis equi es an unde s anding o he way he alue o a ulne abili y
changes depending on i s li e-cycle s age and aded ma ke (Figu e 1). A ze o-day
ulne abili y may be alued a six o mo e igu es in he whi e and black ma ke s
(Apple Secu i y Boun y Ca ego ies, n.d.; Pe l o h, 2021), bu i s p ice declines di e -
en ly o e ime. In he whi e ma ke , disclosed ulne abili ies a e sha ed as public
goods o ee, so hei alue d ops o ze o once he endo eleases a pa ch and
hey become public goods. In con as , in he black ma ke , he exploi code has a
mone a y alue e en a e N-days due o p oduc exclusi i y. Rega dless, i s alue
d ops o e ime as he likelihood o inding and exploi ing a non-pa ched sys em
dec eases.
FIGURE 1: Vulne abili y as a p oduc alue ma ix in black and whi e ma ke s.
2.3. Bug boun y p og ams and pla o ms
The claim dubbed ‘Linus law’, ha “gi en enough eyeballs, all bugs a e shallow”
(Raymond, 1999, p. 29) e e s o he co-de elopmen and es ing o open-sou ce
so wa e in ol ing many people who deli e a less buggy (and he e o e less ul-
ne able) code oge he . A simila p inciple may apply o bug boun y p og ams u il-
6 In e ne Policy Re iew 13(1) | 2024
ising c owdsou ced ulne abili y disco e y. F om an o ganisa ional pe spec i e, e -
ec i ely iden i ying ulne abili ies is a high- alue challenge, so i ms can bene i
om engaging la ge c owds o esea che s o ackle his ask. This choice aligns
wi h heo ies o i m bounda ies, which in ol e deciding which asse s, ac i i ies
and esou ces o “own” and which o access h ough he ma ke (Zenge e al.,
2011, p. 95).
Bug boun y p og ams a e s uc u ed a angemen s be ween o ganisa ions and in-
di idual secu i y esea che s o ade ulne abili ies as p oduc s. They allow o -
ganisa ions o in e ac wi h cybe -secu i y expe s whose knowledge complemen s
he capabili ies o he i m’s de elopmen and es ing eams. Th ough his ex-
change, secu i y esea che s can epo on secu i y ulne abili ies and ecei e le-
gi ima e compensa ion o hei indings and ecogni ion om hei pee s and he
indus y o hei expe ise (Bienz & Ju anek, 2020; Malladi & Sub amanian, 2020).
Bug boun y pla o ms a e wo-sided digi al ma ke places ha hos mul iple bug
boun y p og ams, b inging oge he secu i y esea che s and o ganisa ions o acil-
i a e ulne abili y ading (Mailla e al., 2017; Sub amanian & Malladi, 2020;
Wachs, 2022; Zhao e al., 2017). These pla o ms ewa d he i s pa icipan sub-
mi ing a no el ulne abili y epo wi h a di ec o indi ec paymen (boun y), c e-
a ing a ou namen -like a angemen (Jo, 2020). Using hese pla o ms educes in-
o ma ion asymme ies and o he ic ional cos s associa ed wi h he ansac ion
o speci ic, in equen , and unce ain asse s (Wachs, 2022). Figu e 2 illus a es he
ole o a bug boun y pla o m as a acili a o o he ulne abili y-sha ing ansac-
ion be ween o ganisa ions as buye s and esea che s as selle s.
FIGURE 2: A bug boun y pla o m as a wo-sided ma ke o sha ing so wa e ulne abili ies.
Bug boun y p og ams can be iewed as a compe i i e economy model whe e buy-
e s and selle s a emp o maximise hei u ili y and p o i s. The indi idual e-
7 Z ahia
sea che s a e he selle s, he o ganisa ions gene a ing he boun y p og ams a e
he buye s and he disco e ed ulne abili ies a e he goods.5 These s uc u es a e
also ela ed o he phenomenon o he gig economy: a labou ma ke o indepen-
den con ac ing ha happens h ough, ia and on digi al pla o ms (James, 2021).
In his se ing, a ulne abili y epo cons i u es a me e gig economy ansac ion
wi h a low en y ba ie , po en ially allowing policymake s o con ol he supply
size (Z ahia e al., 2022).
3. Policy design me hodology
Policy analysis in ol es explaining p oblems ela ed o he gene al public and de-
eloping al e na i es o add ess hem and mi iga e hei ailu es. I ollowed he
simpli ied a ionalis p ocess o Weime & Vining (2017) by di iding he e o in o
wo main componen s. Sec ion 4 ocused on p oblem analysis, which includes
de ining he p oblem, lis ing po en ial solu ions and se ing policy goals. In Sec-
ion 5, I conduc ed a solu ion analysis, u he expanding on he policy op ions
while p edic ing, e alua ing and compa ing hei impac s. I began he p oblem
analysis wi h he esea ch ques ion: How can policymake s suppo disco e ing
and disclosing so wa e ulne abili ies in sys ems, p oduc s and se ices? Nex , I
a gued ha he p oblem is a socie al conce n ha jus i ies go e nmen al in e en-
ion, and I lis ed he h ee e alua ed solu ions. Finally, I b ie ly desc ibed how each
al e na i e would help and i s expec ed ou come.
I selec ed wo goals, iewing he i s as “subs an i e” and he second as “p ocedu -
al” (Bali e al., 2021). The impac s associa ed wi h he subs an i e goal a e di ec ly
conce ned wi h he ends o he policy, while he esul s ela ed o he p ocedu al
goal, indi ec ly bu signi ican ly, a ec p ocesses and ou comes accoun ing o he
means o achie e he policy ends. Fu he mo e, I se he goals so ha each ep e-
sen s a di e en s age in he ulne abili y-sha ing p ocess (disco e y and disclo-
su e) and a di e en s akeholde pe spec i e in he ma ke o ulne abili ies —
he i s goal was associa ed wi h he buye (o ganisa ion) pe spec i e, while he
second pe ained o he selle ( esea che ).
I de ailed he h ee policy al e na i es in he solu ion analysis s age, e e encing
ele an academic li e a u e and p o essional esou ces. To measu e he impac o
each policy on each goal, I used quali a i e sco ing c i e ia o h ee le els: low,
medium and high. These ca ego ies a e no necessa ily equally spaced, and I used
anges wi hin hese classes whe e app op ia e. I p esen ed he esul s in a com-
5. This iewpoin e e s o he ma ke a e a esea che inds a ulne abili y (ex-pos ).
8 In e ne Policy Re iew 13(1) | 2024
Go e nmen s no al eady pa icipa ing in ze o-day ma ke s may conside se ing
goals and es ablishing e alua ion p ocesses, while hose al eady in ol ed may
conside inc easing hei in ol emen . Reducing he numbe o a ailable ze o days
would educe he numbe o cybe -c iminals and he s a e p og ams ha depend
on hem (Mau e , 2017). Howe e , his depends on whe he policymake s wan o
“d ain he swamp” o ulne abili ies o use hem o o ence.
5.1.3. Suppo bug boun y p og ams and pla o ms
In ecen yea s, in e ne go e nance and digi al pla o m egula ion ha e become
ho opics o schola s and p ac i ione s (Eps ein e al., 2016; Flew & Ma in, 2022;
Fus e Mo ell, 2022). This in ol emen expands beyond social ne wo ks and com-
modi y ma ke s in o wo-sided ma ke s o ulne abili ies. In his al e na i e, go -
e nmen s may encou age o en o ce ulne abili y disclosu e p og ams (VDPs) o
bug boun y p og ams (BBPs) in speci ic e ical segmen s. The i s p og am ype
allows esea che s o sa ely submi hei epo s o o ganisa ions wi hou ecei -
ing cash ewa ds, and he la e o e s mone a y awa ds o unique (unknown)
alid disco e ies (Walshe & Simpson, 2022).
Va ious na ional-le el ini ia i es ha e been implemen ed o acili a e coo dina ed
ulne abili y disclosu e (CVD) policies. Examples include he US equi emen om
ede al agencies (BOD 20-01: De elop and Publish a Vulne abili y Disclosu e Poli-
cy, 2020), he EU’s CVD policy (ENISA, 2022) and he UK’s ulne abili y disclosu e
oolki (The Na ional Cybe Secu i y Cen e, 2020). These ini ia i es a e o en
based on comme cial bug boun y pla o ms ha ou line disco e y and disclosu e
p ocedu es as pa o hei p og am’s scope and code o conduc .11
O ganisa ions ope a ing bug boun y p og ams o en ail o con ey all he o mal
cons ain s applicable o hacke s, equi ing hem o unde s and he laws unde pin-
ning sa e and legal secu i y esea ch (Walshe & Simpson, 2023). C owdsou cing
secu i y as a se ice h ough bug boun y pla o ms can enable his p ocess sa ely
and legally. Choi e al. (2010) ound bug boun y p og ams o be a wel a e-imp o -
ing policy ins umen since hey ei he do no a ec he i m’s disclosu e policy o
acili a e a change om non-disclosu e o disclosu e. Al e na i ely, go e nmen s
can suppo communi y-d i en ulne abili y disclosu e p ojec s such as Disclose.io,
which aims o make ulne abili y disclosu e sa e, simple and s anda dised o
e e yone.12
11. Fo example, CISA ( he US ini ia i e) uses BugC owd and EnDyna as hei bug boun y pla o m
p o ide (Golds ein, 2021), while he UK uses Hacke One (Minis y o De ence, 2020).
12. The p ojec p o ides a comp ehensi e lis o known bug boun y and ulne abili y disclosu e p o-
15 Z ahia

In addi ion, bug boun ies p omo e public anspa ency by acili a ing he disclo-
su e p ocess o he public. When e hical secu i y esea che s disco e ulne abili-
ies, hey can e eal hem h ough ull o coo dina ed ulne abili y disclosu e
me hods (Mailla e al., 2017). Full disclosu e p essu es so wa e owne s o ix he
issue immedia ely, as i in ol es ale ing he public di ec ly. Coo dina ed ulne a-
bili y disclosu e, on he o he hand, allows endo s o add ess he ulne abili y be-
o e sha ing he de ails publicly. The op imal disclosu e app oach emains a opic
o deba e (A o a & Rahul, 2005; Choi e al., 2010). Howe e , no all ulne abili ies
a e disclosed o sha ed wi h he public du ing black o g ey ma ke ansac ions
(Ablon & Libicki, 2015; McKinney, 2007).
A iable go e nmen al in e en ion policy may legally en o ce bug boun y p o-
g ams on speci ic indus y e icals (Zhao e al., 2017), es ablish join ini ia i es
wi h exis ing bug boun y pla o ms o suppo ulne abili y-sha ing communi y e -
o s.
5.2. Policy impac s analysis
In he upcoming sec ions, he policy goals and hei associa ed impac ca ego ies
will be quali a i ely assessed o each solu ion al e na i e, wi h jus i ica ions o
he analysis.
5.2.1.E alua ing e ec i e and e icien disco e y o ulne abili ies
The subs an i e goal o an e ec i e and e icien ulne abili y disco e y is aligned
wi h he o ganisa ional in e es s, and he success o a policy in mee ing i can be
measu ed by he numbe and quali y o unique ulne abili ies disco e ed, as well
as i s economic e iciency.
I e lec on insigh s om he open-sou ce li e a u e and a gue ha he numbe o
unique disco e ed ulne abili ies depends on he numbe o esea che s, hei ex-
pe ise and hei access le el o he p oduc o se ice (Sch yen & Kadu a, 2009).
In-dep h ulne abili y esea ch is made possible wi h code-le el access a he han
ea ing he sys em as a black box (McG aw, 2004). Al hough secu e SDLC policies
allow o ho ough pene a ion es ing, I a gue ha he numbe o disco e ed ul-
ne abili ies may depend on a limi ed numbe o secu i y expe s compa ed o he
po en ially la ge c owd o indi idual esea che s accessible h ough bug boun y
p og ams and pla o ms (Mailla e al., 2017). Hence, I an icipa e a mode a e
numbe o ulne abili ies o be disco e ed. Acqui ing ze o-day ulne abili ies is a
g ams, de ailing whe e o submi epo s and hei espec i e “sa e ha bou ” s a us.
16 In e ne Policy Re iew 13(1) | 2024
s a egy ypically ese ed o selec ed, highly exploi able cases, a subse o he
limi ed supply o hese ulne abili ies (Mau e , 2017). Bug boun y p og ams can
lead o he disco e y o a mode a e o high numbe o ulne abili ies (Walshe &
Simpson, 2020; Z ahia e al., 2022), depending on he p og am’s ules, incen i e
s uc u e and deg ee o openness. The la e e e s o he choice be ween a p o-
g am ha is a ailable o e e yone (public) o only o a g oup o esea che s (p i-
a e) who may be p e-selec ed and possibly g an ed ele a ed access igh s o e-
sea ch he p oduc o se ice (Wachs, 2022).
The second impac ca ego y I e alua e is he quali y o disco e ed ulne abili ies,
which, simila ly o he quan i y, is a ec ed by he esea che s’ expe ise and access
le el. The e o e, I a gue ha so wa e de elopmen and pene a ion es eams,
g an ed ele a ed access igh s, can ind medium-high se e i y ulne abili ies. Ze o-
day ulne abili ies aded on he g ey ma ke a e o en o excep ionally high quali-
y due o hei exploi able na u e (Meakins, 2019). In con as , he quali y o sub-
missions o bug boun y p og ams can a y be ween low and high (Walshe & Simp-
son, 2020; Z ahia e al., 2022), depending on he p og am’s cha ac e is ics and
ou namen s uc u e, acili a ing compe i ion among esea che s.
Finally, assessing he economic e iciency aspec o a ulne abili y disco e y policy
equi es a conside a ion o i s cos s and bene i s. Secu e SDLC and pene a ion
es s a e ypically paid o by con ac acco ding o an ag eed Scope o Wo k (SOW)
a he han pe o mance-based paymen (Engin, 2023). Hence, I ma k i s e ec i e-
ness le el as a medium. By con as , he cos o pu chasing a single ze o-day o
go e nmen s may be ex emely high, depending on he ulne abili y’s se e i y, he
exploi ’s complexi y and how long he ulne abili y emains undisclosed (Ablon &
Libicki, 2015). The la e ac o e lec s whe he he p oduc ( he ze o-day ulne a-
bili y) is a p i a e good, de ined by i al y in consump ion and excludabili y in
owne ship and use (Weime & Vining, 2017). Disclosing he ulne abili y o he
public o o he buye s may a ec he cos -e ec i eness o his policy op ion i he
designa ed use o he pu chased exploi is o ensi e. The e o e, he impac ca ego-
y o buying ze o-day ulne abili ies may a y be ween medium and high, assum-
ing he go e nmen al goal is de ensi e. The economic e iciency o bug boun y
p og ams can be measu ed using he unique- o- o al submission a io,13 which
conside s he e o and cos o p ocessing duplica e o inco ec ulne abili y e-
po s (Z ahia e al., 2022).14 Though in alid epo s may signi ican ly bu den pa -
13. The unique- o- o al submission a io ep esen s he pe cen age o unique ulne abili ies ound ou
o he o al numbe o submi ed epo s.
14. Duplica e submission is a disco e y o a ulne abili y al eady known o iden i ied by ano he e-
17 Z ahia
icipa ing o ganisa ions (Zhao e al., 2017), he e a e ways o educe hem by limi -
ing access o he p og am, changing he ewa ds s uc u e and mo e. The e o e,
he economic e iciency o bug boun y p og ams ha emb ace pe o mance-based
paymen s migh be conside ed medium-high.
5.2.2.E alua ing he disclosu e p ocess
The p ocedu al goal o es ablishing an a ac i e, legal and us wo hy disclosu e
p ocess pe ains o esea che s disco e ing ulne abili ies mo e han he o ganisa-
ions acqui ing hem. The i s impac ca ego y I sugges o measu ing his goal is
he ease o epo ing which also e lec s i s ba ie s o en y. Unde he secu e
SDLC and pene a ion es ing policy he in e nal wo k o ce o con ac o s can e-
po ulne abili ies p omp ly and e ec i ely o he o ganisa ion. Howe e , as ac-
knowledged by Çe in e al. (2018), implemen ing his op ion equi es esou ce in-
es men s and expe ise which may challenge small o ganisa ions, esul ing in a
medium ba ie o en y. Repo ing and ba ie s o en y a e no ably mo e di icul
in he g ey ma ke o ze o-day ulne abili ies, as esea che s may lack he neces-
sa y connec ions o sell di ec ly o go e nmen s. Hence, in oducing an in e medi-
a y may acili a e a epo ing p ocedu e while p ese ing anonymi y o bo h pa -
ies. Bug boun y p og ams and pla o ms in he egula ed whi e ma ke ha e a
mo e s aigh o wa d epo ing p ocess based on hei p ede ined scope and ules
o engagemen .15 Fu he mo e, hese pla o ms ha e ela i ely low en y ba ie s
since hey suppo a simple egis a ion p ocess o bo h ma ke playe s and may
allow anyone o submi ulne abili y epo s.
The second impac measu es whe he he disclosu e p ocess p o ec s he e-
sea che om legal consequences. The SOW o ou sou ced pene a ion es ing
should include clauses ha p o ide legal p o ec ion o secu i y esea che s. Simi-
la ly, he SDLC de elopmen p ocess inhe en ly p o ec s employees when ixing
bugs. In he g ey ma ke policy, esea che s selling a ze o-day o a go e nmen
may p e e o emain anonymous and use an in e media y o a oid e ealing hei
iden i y o he buye . Mo eo e , he buying go e nmen o en wan s o main ain
he same le el o anonymi y (Annu-Essuman, 2014). By con as , bug boun y p o-
g ams and pla o ms should include clea disclosu e guidance and o en suppo
ull o pa ial sa e ha bou policies o encou age epo ing.16
sea che . The e o e, i has no alue o he endo (o e en nega i e alue conside ing he cos s as-
socia ed wi h p ocessing i ).
15. Fo example, Bugc owd’s epo ing p ocess (Bugc owd, n.d.).
16. Fo example, Mic oso ’s sa e ha bou policy (Mic oso , n.d.).
18 In e ne Policy Re iew 13(1) | 2024
The las impac analysed is a us wo hy and a ac i e model. T us be ween buy-
e s and selle s is associa ed wi h be e exchange pe o mance, lowe ansac ion
cos s and enhanced knowledge ans e (Poppo e al., 2016). In he ulne abili y
ma ke , selle s ace an addi ional challenge ela ed o us : hey mus p o e he
au hen ici y o he ulne abili y wi hou e ealing i o he buye .
In e nal o ex e nal o ganisa ional eams in ol ed in secu e SDLC and pene a ion
es s ge paid by con ac , making us a non-issue and he a ac i eness o he
ansac ion nego iable. Howe e , us is a eal challenge o bo h sides when sell-
ing ze o-days o go e nmen s di ec ly o h ough a g ey ma ke b oke . Re-
sea che s may equi e anonymised c yp ocu ency paymen s and assu ance ha
hey will be ul illed. On he o he hand, buye s who wan o ob ain a ze o-day o
o ensi e pu poses need exclusi e access and non-disclosu e commi men s o
main ain i s alue. The e o e, using in e media ies may add us alida ion and
e i ica ion o he ansac ion as Ablon & Libicki (2015) no ed. Simila ly, us is
c i ical in he whi e ulne abili y-sha ing ma ke whe e bug boun y p og ams and
pla o ms acili a e in e ac ions be ween wo en i ies ha may no ha e any p e-
exis ing ela ionship o his o y o in e ac ion. Pla o m in e media ies can educe
he isk o bo h pa ies by ensu ing mu ually bene icial e ms and condi ions o
disclosu e and pa icipa ion (Sub amanian & Malladi, 2020). A coo dina ed ulne -
abili y disclosu e p ocess g an s he endo he necessa y ime o apply a pa ch
be o e sha ing he ulne abili y wi h he public. No exclusi i y isk exis s i he o -
ganisa ion in ends o ix he issue and no i y he public. Vendo s usually comple e
hei paymen s o esea che s o main ain hei epu a ion. Howe e , a wo-sided
bug boun y pla o m can educe he isk o un elie ed con ac ual haza ds and add
us and assu ance o imely paymen s.
5.2.3. Compa a i e impac ma ix
The compa a i e impac ma ix p esen ed in Table 3 summa ises he p edic ed im-
pac o each al e na i e on he wo de ined goals.
19 Z ahia
TABLE 3: Impac e alua ion o policy op ions o go e nmen al in e en ion ela ed o sha ing
ulne abili ies
IMPACT
CATEGORY POLICY ALTERNATIVES
Encou age secu e de elopmen and
pene a ion es s Acqui e ze o-day ulne abili ies Suppo bug boun y
p og ams and pla o ms
GOAL I: EFFECTIVE AND EFFICIENT DISCOVERY OF VULNERABILITIES
NUMBER OF
UNIQUE
DISCOVERED
VULNERABILITIES
Medium, gi en he ade-o
be ween ho ough es ing and he
numbe o secu i y esea che s
Low, as only ze o-day
ulne abili ies a e po en ially
pu chased
Medium-high, depending
on he p og am’s
cha ac e is ics
QUALITY OF
DISCOVERED
VULNERABILITIES
Medium-high, based on he de ined
scope, access le el and expe ise o
he es ing eam
High, as i pe ains o ze o-day
c i ical ulne abili ies only
Va ies be ween low and
high, based on he
p og am’s cha ac e is ics
ECONOMIC
EFFICIENCY IN
PRODUCTION
Medium, as he pene a ion ask
paid ega dless o he indings
Va ies be ween medium o high
and a ec ed by exclusi i y isk
and ex eme p ices o p emium
ulne abili ies
Medium-high, aking in o
conside a ion he alid-
o- o al submission a io
GOAL II: AN ATTRACTIVE, LEGAL AND TRUSTWORTHY DISCLOSURE PROCESS
EASE OF
REPORTING AND
BARRIERS TO
ENTRY
High (easy epo ing), as de ined in
he scope o wo k o he in e nal
wo k o ce o con ac o s
Low (complica ed epo ing),
unless made h ough a hi d
pa y, g ey ma ke b oke
High (easy epo ing),
based on he in e media y
pla o m ools and
p ocedu es
LEGALLY SAFE
DISCLOSURE
High (legally sa e) as de ined
explici ly in he scope o wo k o
pene a ion es s and inhe en o
he SDLC p ocess
Medium, due o he isks
associa ed wi h g ey ma ke
ansac ions
High (legally sa e), based
on he boun y p og am’s
ull o pa ial sa e
ha bou policy
TRUSTWORTHY
AND ATTRACTIVE
MODEL
Highly eliable paymen pe con ac
Low-medium eliabili y o bo h
sides, as paymen s migh be
condi ional and exclusi i y
ques ionable
Paymen is highly eliable
as de ined in he
p og am’s scope and
pla o m ules
5.2.4. T ade-o s, ensions and misalignmen s
This sec ion highligh s po en ial a eas o misalignmen among di e en ma ke
20 In e ne Policy Re iew 13(1) | 2024

playe s o policymake s ela ed o he goals and impac ca ego ies. These con lic s
may gene a e ma ke ailu es, sugges ing ha public policy o e sigh is essen ial.
Fi s ly, I conside he ade-o endo s ace be ween he quan i y and quali y o
disco e ed ulne abili ies. I is widely accep ed ha inding high-se e i y ulne a-
bili ies equi es mo e expe ise and is he e o e less common han inding low-
quali y ones. Addi ionally, he access le el o esea che s o he code can impac
hei abili y o ind bugs (Sch yen & Kadu a, 2009). While mo e esea che s es ing
he code inc ease he numbe o disco e ed ulne abili ies (Mailla e al., 2017),
high olumes o low-quali y epo s can bu den ope a o s and consume esou ces
(Walshe & Simpson, 2022). Fu he mo e, con es s can encou age inno a ion, bu
admi ing mo e compe i o s can c ea e ension be ween inno a ion and incen i es
o all playe s (Te wiesch & Xu, 2008). While ha ing mo e compe i o s may s imu-
la e inno a ion by a highe likelihood ha a leas one agen will ind a highly al-
ued solu ion, i can also educe he expec ed ewa d o esea che s and hei in-
cen i e o epo ulne abili ies. Addi ionally, a ac ing high-quali y esea che s
and inding high-se e i y bugs is becoming mo e di icul as he p og am ma u es,
hence he ecommenda ion o inc ease ewa ds o e ime (McC acken, 2019). In
ligh o hese issues, I a gue ha o ganisa ions could e alua e hei s a egy o e
ime and ebalance he numbe o secu i y esea che s and hei access le el o
he code wi h bug boun y pla o ms po en ially helping ma ch esea che s wi h
ele an expe ise o speci ic p og ams (Kes elyn & Bugc owd Head o P oduc
Ma ke ing, 2022).
Nex , I conside he o ensi e e sus de ensi e use o ze o-day ulne abili ies by
go e nmen s ope a ing in he g ey ma ke . The alue o a ze o-day p ima ily de-
pends on i s sca ci y and sec ecy (Meakins, 2019). While buying ulne abili ies may
be cos -e ec i e i sha ed wi h he public some go e nmen s may p e e o keep
hem p i a e o o ensi e use. Unde he la e scena io, hey isk losing exclusi i-
y o he ulne abili y. I ha happens, i s alue will decline o comple ely dimin-
ish once pa ched. The go e nmen al decision o keep o e eal a ulne abili y may
also depend on he geopoli ical ci cums ances. Fu he mo e, a conce n associa ed
wi h his al e na i e is whe he he go e nmen can be us ed o implemen i o
he bene i o he gene al public. The Elec onic P i acy In o ma ion Cen e (EPIC)
c i icises he Vulne abili ies Equi ies Policy o he US men ioned ea lie o lack o
anspa ency, p i acy implica ions, and mo e (The Elec onic P i acy In o ma ion
Cen e , n.d.). Secu i y esea che s may need o balance he expec ed ewa d om a
ulne abili y disco e y and he consequences o illegal, immo al o une hical sub-
mission o he black o g ey ma ke s. These ma ke s migh pay en imes (o mo e)
21 Z ahia
highe han he whi e ma ke would pay, so a esea che who inds a ze o-day
aces a signi ican dilemma (Ablon & Libicki, 2015). The p ocedu al goal o acili-
a ing an a ac i e, legal and us wo hy disclosu e p ocess aims o balance his
ension and solici whi e ma ke ansac ions.
Ano he aspec o conside is he applicabili y o he al e na i es in a di e se so-
cio-economic con ex . The e alua ed policies equi e coope a ion wi h p i a e o -
ganisa ions and he gene al public and may be a ec ed by di e en scena ios.
Du ing he COVID-19 pandemic o example, he e was a huge inc ease in indi id-
ual esea che s’ pa icipa ion and ulne abili y submissions in bug boun y pla -
o ms (Z ahia e al., 2022), e lec ing he gig-economy na u e o his policy op ion
and i s sensi i i y o ex e nal shocks.
Finally, he us challenge a ises when he e is no bila e al dependency be ween
he selle and he buye . In e media ing pla o ms can sol e his ension, as illus-
a ed by a ious e-comme ce, knowledge economy and sha ing economy li e a-
u e sou ces (Akhmedo a e al., 2021; Soleimani, 2022; Zanini & Musan e, 2013).
In he bug boun y p og ams se ing, pla o ms can ac as a us ed hi d pa y o
ensu e ha he in e es s o bo h pa ies a e me (Mille , 2007). They can help e-
sea che s p o e he alidi y o disco e ed ulne abili ies wi hou disclosing hem
and help o ganisa ions e i y he alidi y o ulne abili ies be o e making pay-
men s.
6. Concluding hough s and limi a ions
Go e nmen s and o he policymake s ha e become highly conce ned wi h p o ec -
ing he cybe domain and hei in ol emen in his space is g owing. Go e nmen-
al in e en ion in he ma ke o ulne abili ies may shi ansac ions om he
black ma ke o he whi e ma ke and imp o e he secu i y pos u e o sys ems,
p oduc s and se ices used by he public di ec ly o indi ec ly. Some go e nmen s
ha e al eady implemen ed ela ed policies, bu o he s a e less in ol ed in his
ma ke . Well-conside ed and ca e ully hough -ou policies can p o ide aluable
o e sigh o sha ing ini ia i es, ad ance ulne abili y iden i ica ion and maximise
social wel a e.
This pape explo es h ee possible al e na i es o go e nmen al in e en ion in
he ma ke o ulne abili ies: implemen ing secu e de elopmen and pene a ion
es s, acqui ing ze o-day ulne abili ies and suppo ing bug boun y p og ams and
pla o ms. I p esen an impac ma ix quali a i ely measu ing he goals associa ed
wi h he disco e y and disclosu e p ocesses o each po en ial in e en ion a ea.
22 In e ne Policy Re iew 13(1) | 2024
While he al e na i es a e no mu ually exclusi e, bug boun y p og ams and pla -
o ms p oduce he highes impac and ha e a ela i ely low ba ie o en y o
bo h he o ganisa ions and he e hical hacke communi y.
The e o e, I ad ise go e nmen al en i ies, egula ion au ho i ies and o he policy
decision-make s o conside , encou age o p esc ibe bug boun y p og ams and
pla o ms based on comme cial o communi y-d i en coo dina ed disclosu e ini ia-
i es. Despi e he ex ensi e li e a u e on he ulne abili y ma ke , his pape com-
pa es ele an go e nmen al in e en ion al e na i es om a public policy pe -
spec i e, highligh ing hei ade-o s, ensions and misalignmen s, hus con ibu -
ing o he p oblem domain. Discussing hese s uc u es may se e as a s a ing
poin o guideline o mo i a e he design o a de ailed go e nmen al policy. How-
e e , u he in es iga ion o esea che incen i es, i m mo i a ions and bug boun-
y pla o m s a egies is equi ed o design mo e e ec i e p og ams. A ollow-up
s udy may check how bug boun y pla o m ope a o s could a ac mo e buye s
and selle s o encou age ulne abili y sha ing, and o ganisa ions maximise hei
u ili y unc ion om bug boun y p og ams.
The limi a ions o he pape a e wo old. Fi s , he ecommenda ion is subjec i e
and e lec s my in o med in e p e a ion, as he e is no p ecise objec i e measu e
o policy supe io i y. Second, hough he pape compa es h ee policies o go e n-
men al in e en ion, e alua ing and compa ing ins umen s needed o implemen
he selec ed op ion is beyond i s scope and equi es mo e explo a ion.
ACKNOWLEDGEMENTS
I am g a e ul o Alon Tal o insigh ul discussions and con inuous guidance. I also
hank he e iewe s o hei cons uc i e eedback.
Re e ences
Ablon, L., & Boga , A. (2017). Ze o days, housands o nigh s: The li e and imes o ze o-day
ulne abili ies and hei exploi s. RAND Co po a ion. h ps://doi.o g/10.7249/RR1751
Ablon, L., & Libicki, M. (2015). Hacke s’ bazaa : The ma ke s o cybe c ime ools and s olen da a.
De ense Counsel Jou nal, 82(2), 143–152. h ps://doi.o g/10.12690/0161-8202-82.2.143
Ake lo , G. A. (1970). The ma ke o ‘lemons’: Quali y unce ain y and he ma ke mechanism. The
Qua e ly Jou nal o Economics, 84(3), 488. h ps://doi.o g/10.2307/1879431
23 Z ahia
Akgul, O., Egh esad, T., Elaza i, A., Gnawali, O., G ossklags, J., Vo ipka, D., & Laszka, A. (2020). The
hacke s’ iewpoin : Explo ing challenges and bene i s o bug-boun y p og ams. P oceedings o he
6 h Wo kshop on Secu i y In o ma ion Wo ke s (WSIW 2020). Wo kshop on Secu i y In o ma ion
Wo ke s (WSIW 2020). h ps://www2.cs.uh.edu/~gnawali/pape s/bugboun y-wsiw20-abs ac .h ml
Akhmedo a, A., Vila-B une , N., & Mas-Machuca, M. (2021). Building us in sha ing economy
pla o ms: T us an eceden s and hei con igu a ions. In e ne Resea ch, 31(4), 1463–1490. h ps://d
oi.o g/10.1108/INTR-04-2020-0212
Annu-Essuman, K. (2014). An Analysis on he Regula ion o G ey Ma ke Cybe Ma e ials. Co nell
In e na ion A ai s Re iew, 8(1). h ps://doi.o g/10.37513/cia . 8i1.462
Apple secu i y boun y ca ego ies. (n.d.). Apple Secu i y Resea ch. h ps://secu i y.apple.com/boun y/ca
ego ies
A o a, A., & Telang, R. (2005). Economics o so wa e ulne abili y disclosu e. IEEE Secu i y and
P i acy Magazine, 3(1), 20–25. h ps://doi.o g/10.1109/MSP.2005.12
Bali, A. S., Howle , M., Lewis, J. M., & Ramesh, M. (2021). P ocedu al policy ools in heo y and
p ac ice. Policy and Socie y, 40(3), 295–311. h ps://doi.o g/10.1080/14494035.2021.1965379
Ba dach, E., & Pa ashnik, E. M. (2020). A p ac ical guide o policy analysis: The eigh old pa h o
mo e e ec i e p oblem sol ing. In CQ P ess; SAGE Publica ions (Six h). SAGE Publica ions.
Bienz, C., & Ju anek, S. (2020). So wa e ulne abili ies and bug boun y og ams. SSRN. h ps://doi.o
g/10.2139/ss n.3599013
Bilge, L., & Dumi aş, T. (2012). Be o e we knew i : An empi ical s udy o ze o-day a acks in he
eal wo ld. P oceedings o he 2012 ACM Con e ence on Compu e and Communica ions Secu i y,
833–844. h ps://doi.o g/10.1145/2382196.2382284
Böhme, R. (2006). A compa ison o ma ke app oaches o so wa e ulne abili y disclosu e. In G.
Mülle (Ed.), Eme ging T ends in In o ma ion and Communica ion Secu i y (Vol. 3995, pp. 298–311).
Sp inge Be lin Heidelbe g. h ps://doi.o g/10.1007/11766155_21
B ans, M., & Pa yn, V. (2017). Valida ing me hods o compa ing public policy: Pe spec i es om
academics and “p academics”. In oduc ion o he special issue. Jou nal o Compa a i e Policy
Analysis: Resea ch and P ac ice, 19(4), 303–312. h ps://doi.o g/10.1080/13876988.2017.1354560
Bugc owd. (2018). In eg a ing c owdsou ced secu i y wi h he so wa e de elopmen li ecycle.
Bugc owd. h ps://www.bugc owd.com/blog/in eg a ing-c owdsou ced-secu i y-wi h- he-so wa e-d
e elopmen -li ecycle/
Bugc owd. (n.d.). Repo ing a bug [Ins uc ion manual]. Bugc owd. h ps://docs.bugc owd.com/ esea
che s/ epo ing-managing-submissions/ epo ing-a-bug/
Çe in, O., Al ena, L., Gañán, C., & an Ee en, M. (2018). Le me ou ! E alua ing he e ec i eness o
qua an ining comp omised use s in walled ga dens. P oceedings o he Fou een h Symposium on
Usable P i acy and Secu i y. SOUPS 2018. www.usenix.o g/con e ence/soups2018/p esen a ion/ce i
n
Choi, J. P., Fe sh man, C., & Gandal, N. (2010). Ne wo k secu i y: Vulne abili ies and disclosu e
policy. The Jou nal o Indus ial Economics, 58(4), 868–894. h ps://doi.o g/10.1111/j.1467-6451.201
0.00435.x
Cybe a acks s a is ics. (n.d.). Hackmageddon. h ps://www.hackmageddon.com/ca ego y/secu i y/cy
24 In e ne Policy Re iew 13(1) | 2024