• Stefan Frei, Oliver Rochford



A larger number of vendors either lack the maturity, funding or incentive to invest more in secure software development, meaning that a) we do not really know the true number of vulnerabilities out there - resulting in a shadow population of vulnerabilities b) large parts of our digital economy and infrastructure are at risk from this shadow population of vulnerabilities  c) the digital transformation is jumping without a parachute, with few universal mechanisms in place to ensure minimum standards and safe innovation.

Minimal software quality standards are far and few between and have also been notoriously difficult to enforce and quantify. Bug bounties have instead proven themselves an additional effective mechanism to improve vulnerability discovery, while also reducing the availability of zero-day vulnerabilities and exploits to malicious cyber actors.  But they are not trivial to operate and have not yet been adopted widely or consistently. Startup vendors and open-source projects especially are challenged to fund and manage such programs, yet their technologies underpin the digital transformation.

Our analysis proposes and validates a model for a broader scope bug bounty program (Bug Bounty of Last Resort) by assessing and comparing the cost of having a massive vulnerability purchase program following a coordinated disclosure process - and comparing this cost to cybercrime losses.

Key Findings

Financing a bug bounty program of last resort that offers competitive and lucrative compensation for vulnerability discovery and innovative defensive tools is affordable. The benefits outweigh the costs, especially when calculated as a percentage of GDP (EU, US) compared to the cost of cyber security and damages resulting from cybercrime

  • A shadow population of zero-day vulnerabilities exists due to a lack of consistent investment in vulnerability discovery.
  • Costs for vulnerability exposure have been fully externalized to end users, who are unable to quantify or manage the risk from the shadow population of vulnerabilities.
  • Our proposal, an industry-wide Bug Bounty Program of Last Resort (BBPLR) expanding coverage to all critical technologies and vendors will reduce the risk posed by shadow vulnerabilities and reduce the pool of vulnerabilities available for cyber criminals to exploit.
  • Economically, a BBPLR is easily affordable while measurably improving the rate of vulnerability discovery to ultimately reduce the shadow vulnerability population and systemic risk.
  • The cost of 1,732 Billion to purchase 81% of all medium to critical severity vulnerabilities in 2020 for 50k/150k, and 250k USD would be much less than 0.1% of the GDP of the OECD, the EU, or the US.
  • Purchasing vulnerabilities at scale makes economic sense if it reduces the overall losses to cybercrime by at least 0.5% (zero-point-five percent per USD 1,000 billion)