题　目：Sleeping with the Enemy: An Economic and Security Analysis of Bug Bounty Programs

嘉　宾：Jiali Zhou, Ph.D. candidate, Hong Kong University of Science and Technology

主持人：徐海峰  助理教授  上海交通大学安泰经济与管理学院

时　间：2022年11月29日（周二） 14:00-15:30

地　点：腾讯会议 (校内师生如需会议号和密码，请发送电邮至xuziqing@sjtu.edu.cn获取)

内容简介:

In a bug bounty program, the firm uses a reward (the bug bounty reward) to attract the public to submit vulnerabilities that could otherwise be exploited to harm its system. In this paper, we analyze the economic and security implications of bug bounty programs. We show that the bug bounty program is economically beneficial to a firm when the firm has low in-house efficiency in finding a vulnerability or when the firm faces a high proportion of coopetitive hackers (bug reporters who would otherwise pose a security risk by misusing vulnerability information). The firm enjoys two benefits from a bug bounty program: attack diversion and protection delegation. Although a bug bounty program leads a firm to reduce in-house protection, we show that the firm optimally retains sufficient in-house protection to keep the system overall more secure. Finally, we show that even when the firm can benefit from hacker's help in identifying vulnerabilities, the firm may lack incentives to mitigate the legal risk of security testing on its systems by including a safe harbor term in the bug bounty program. We suggest several policies supplementing the safe harbor provision to avoid such a dilemma. We draw related implications with respect to research and practice in information security and crowdsourcing.

演讲人简介：

Jiali Zhou is a PhD candidate in Information Systems at the Hong Kong University of Science and Technology. He is interested in studying how to address various risks brought by IT, and his current research combines analytical modelling and causal inference methods to investigate (1) how to leverage crowdsourcing to improve information security, (2) the implication of algorithm manipulation, and (3) ways to counter emerging IT risks, such as social media induced bias and underground hacker marketplaces. His ongoing projects are under revision at Management Science or have been presented at leading Information Systems conferences. Before his doctoral studies, he also obtained degrees from Peking University (Guanghua School of Management) and Huazhong University of Science and Technology.

欢迎广大师生参加！