Abstract

Two questions to all organizations and hackers interested in bug bounty: As an organization, would you prefer to disclose your patched vulnerability reports publicly? As a hacker, do you prefer to find bugs in an organization that discloses vulnerability reports?

Public disclosure of vulnerabilities has always been a critical and controversial topic in cybersecurity. In this research, we analyze this topic from a bug bounty perspective and examine how the public disclosure of resolved vulnerability reports affects ethical hackers’ success in findings new vulnerabilities in bug bounty programs. Currently, it is unknown if disclosure positively or negatively affects hackers’ success in bug bounty programs. We used a large dataset of over 80,000 vulnerability reports collected from a HackerOne platform and analyzed through various statistical and econometric models, including multiple linear regression, logistics regression, and fixed-effect regression models. Our analyses show that public disclosure of past vulnerabilities negatively affects new discoveries in the bug bounty program. Disclosure negatively impacts the number of successful hackers in a bug bounty program. Disclosure affects new and experienced hackers, with the negative effect more pronounced for experienced hackers. We further validated our findings by exploring the valid and invalid disclosures – mainly, valid reports drive the negative impact.

Our findings suggest that disclosure creates “cognitive fixation” in hackers, which affects their search process and negatively impacts their creativity. Hackers must use disclosed information with caution. Disclosed reports can give valuable information but can also affect hackers’ creativity. Our research gives valuable insights to hackers and presents recommendations to organizations that continuously strive to attract hackers to their programs.