Inter-Temporal Reward Decisions with Strategic Ethical Hackers

A skyrocketing increase in cyber attacks significantly elevates the importance of secure software development. Companies launch various bug-bounty programs to reward ethical hackers for identifying potential vulnerabilities in their systems before malicious hackers can exploit them. One of the most difficult decisions in bug-bounty programs is how to reward ethical hackers appropriately. This paper develops a model of an intertemporal reward strategy with endogenous e-hacker behaviors. We formulate a novel game model to characterize the interactions between a software vendor and multiple ethical hackers. The impacts of the ethical hackers’ strategic bug-hoarding behaviors and their competition on the program’s performance are evaluated. We demonstrate the effectiveness of the dynamic reward mechanism in attracting ethical hackers and encouraging early bug reports. The optimal levels of rewards and timing of reward change are discussed. We show that ignoring the ethical hackers’ strategic behaviors might lead to either too little incentive to attract ethical hackers or too much incentive which motivates them to hoard bugs for higher rewards.