A longitudinal study of hacker behaviour.

Bug bounty programmes employ the skills and curiosity of independent security researchers (hackers) to support pre- and post-deployment security. Driven by the question How effective are bug bounty platforms at retaining the interest of hackers? , this paper aims to address two issues concerning hackers' behaviour. First, to resolve the information asymmetry between programme and platform operators, it is necessary to measure the number of active hackers on a platform. Second, to assist programme operators' understanding, we identify the archetypal behaviours of hackers across a platform. We found that 6,813 hackers (with public accounts) have successfully submitted at least one vulnerability report on Bugcrowd. Of these, approximately 45% (with an account age greater than 9 months) can be considered inactive. We conclude that a significant number of inactive and unproductive hackers may contribute, in part, to the difficulties faced by programme operators. In particular, difficulties in retaining the focus of hackers can lead to underwhelming returns from the resources invested.