Abstract
We study how bug bounty programs (BBPs) shape software vendors’ security and release choices. Vendors invest in internal assurance before release to reduce residual vulnerabilities, and after launch they must manage vulnerability discovery, disclosure, and remediation. We develop a game-theoretic model in which a vendor chooses release timing and severity-contingent bounties, anticipating effort by ethical and malicious hackers in a winner-take-all discovery race. The model highlights two linked mechanisms: an incentive channel that shifts first discovery of severe vulnerabilities away from malicious exploitation and toward ethical reporting, and a governance channel in which coordinated disclosure changes how vulnerability information is managed while remediation is underway. We derive closed-form optimal bounties and characterize a feasibility region that sustains positive bounties and interior success probabilities. Within this region, a BBP strictly increases the vendor’s expected profit by reallocating first-discovery probability on severe vulnerabilities from malicious to ethical hackers and by converting part of severe-loss exposure into bounded, pay-for-results expenditures. For private programs, we also solve for the optimal invited set of ethical hackers and show that this optimal set is strictly smaller than the expected number of malicious attackers. Higher bounties raise ethical hackers’ effort and first-discovery probabilities but also increase program cost, and they interact with reputational (non-monetary) incentives. Finally, in the baseline model, BBP adoption conditionally reduces the marginal value of additional pre-release delay and therefore conditionally implies earlier release relative to the no-BBP benchmark. This timing result is a within-model conditional implication; its practical relevance depends on operational readiness, triage throughput, and the vendor’s ability to validate and safely deploy fixes once a valid report arrives. Managerially, BBPs should be viewed as a post-release governance layer that complements strong internal assurance rather than as a substitute for it. Policymakers can support responsible use of BBPs by encouraging timely remediation, transparent post-patch disclosure, and reporting standards that reduce information asymmetry and triage frictions.
Keywords
Introduction
Software vulnerabilities, security flaws exploitable by attackers (Sen et al., 2020), create a recurring tension for software vendors: pressure to shorten time-to-market versus exposure to security losses driven by residual vulnerabilities at release. Vendors mitigate this risk through in-house secure development and testing, as well as post-release processes for receiving, triaging, and remediating vulnerability reports. Bug bounty programs (BBPs) have become a prominent mechanism for structuring post-release vulnerability discovery by incentivizing ethical reporting (Zhang et al., 2025).
We study how BBPs change incentives and information flows in vulnerability discovery, with particular attention to severe vulnerabilities that are subject to a race between ethical reporting and malicious exploitation. We characterize the optimal policy of a profit-maximizing vendor in a stylized environment and use the resulting comparative statics to explain adoption incentives, severity-contingent bounty pricing, and the marginal effects of BBPs on release timing. The goal of the article is to clarify incentives and market consequences that may not be visible in vendor-authored disclosures, rather than to offer a welfare-optimal policy prescription.
A central managerial puzzle motivating this study is that BBPs simultaneously invite external hackers to probe systems and typically rely on coordinated disclosure (also called controlled disclosure): participants report privately to the vendor, and public disclosure is staged or delayed until remediation. Coordinated disclosure can reduce exploit risk while a patch is developed, but it can also increase information asymmetry if users remain uninformed while exposure persists. In the model, BBPs therefore operate through two linked channels: an incentive channel that shifts first discovery of severe vulnerabilities from malicious exploitation toward ethical reporting, and a governance channel that reduces the vendor’s expected cost from uncoordinated public disclosure by conditioning rewards on private reporting. The strength of the governance channel depends on the length of the remediation window and on the vendor’s ability to process reports. AI can compress patch-drafting time while simultaneously increasing verification and triage burden, so the net effect of automation on this channel depends on operational readiness and deployment governance. In the limiting case of truly near-instant remediation, the private-information window created by coordinated disclosure becomes short, so the governance role of the BBP correspondingly shrinks even though the discovery-allocation role remains. When triage is congested or deployment is slow, coordinated disclosure matters more for risk containment, but it also prolongs the period of user-facing information asymmetry. This disclosure-governance tension is increasingly salient in practice and motivates our focus on BBPs as arrangements that jointly shape discovery incentives and the timing of information release (Telang and Hydari, 2025). 1
Existing work studies vulnerability disclosure and BBPs as incentive mechanisms and marketplaces (Feng et al., 2024; Zhang et al., 2025), but there is limited analytical guidance on the joint implications of three features that often co-occur in practice: severity-specific discovery races between ethical and malicious actors, BBP-induced control of disclosure timing and the associated information asymmetry, and release timing as a strategic decision that trades time-to-market against residual vulnerability risk. Our model integrates these elements and yields tractable implications that connect program design to both security outcomes and vendor incentives. Our analysis yields four main results. First, we derive vendor-optimal, severity-contingent bounty levels and show how they vary with the vendor’s loss exposure from severe vulnerabilities, the expected gains to malicious exploitation, and the reputational benefits associated with ethical reporting. Second, we characterize conditions under which a BBP is feasible and profitable, and we show how BBPs can shift the probability that severe vulnerabilities are first found by ethical hackers rather than malicious hackers. Third, for private programs we characterize the optimal invited set of expert ethical hackers and show how it scales with the adversarial threat. Fourth, we study the release-timing margin. Within the baseline model, feasibility of a BBP conditionally implies an earlier optimal release than in the no-BBP benchmark. We interpret this fourth result narrowly in practice: it is a within-model comparative static, and its practical relevance depends on operational readiness, triage throughput, and safe deployment capacity rather than following mechanically for every real-world BBP.
These results have practical implications. For managers, BBPs are best viewed as an additional governance layer rather than as a broad substitute for secure development practices. The baseline model highlights when monetary rewards versus reputational incentives are more effective, when severity-specific pricing is necessary to reduce exploitation risk, and when invite-set design matters in private programs. It also clarifies that the baseline model’s conditional earlier-release margin is most plausible in practice when the commercial value of early launch remains steep, report-processing capacity is not swamped by low-quality or duplicative submissions, and valid reports can be translated into safely deployable fixes without substantial backlog. For policymakers and standard-setters, the results underscore the need to balance controlled-remediation benefits against transparency concerns, particularly when disclosure terms affect user awareness and precaution-taking. Together, these implications motivate a more integrated view of BBPs that links incentive design, disclosure governance, and release strategy.
Related literature
BBPs formalize post-release vulnerability discovery by rewarding ethical hackers (also known as white hat hackers or independent security researchers) for first, actionable reports under the BBP’s rules of engagement. In this literature review, our focus is on production and operations management (POM) literature that connects security incentives to firms’ operating and strategic choices (e.g., patching, disclosure, sourcing, cloud responsibility, release timing). 2 We complement this with targeted software security and BBP studies in computer science, information systems (IS), and economics that speak to bounty design, researcher behavior, disclosure, and platform dynamics. This blended view allows us to position a firm’s release timing and post-release SV discovery incentive design (BBPs) inside an operations framework while engaging the specialized BBP evidence base that motivates our modeling assumptions and comparative statics.
Software security economics: Patching, disclosure, and reputational forces
A core stream in POM and IS literature examines how liability, patching, and disclosure regimes shape firms’ incentives for software security. Arora et al. (2006) model a software monopolist’s trade-off between releasing earlier with more defects and investing in post-release patching. Because patching involves fixed costs and the marginal cost of distributing fixes is low, a larger market can make it optimal to sell first, fix later; they also show that the monopolist releases later and with fewer bugs than is socially optimal. Kim et al. (2011) analyze how product liability and patch-release policy interact to shape security investment and post-release patching behavior in a monopoly, helping explain when vendors rely more on post-release patching. Complementing this, Sen et al. (2020) study determinants of disclosure timing and document how producer characteristics and vulnerability features influence when discoverers choose to disclose, highlighting the strategic environment vendors face in the absence of formal coordination.
Empirical disclosure research connects public revelation to vendor behavior: Arora et al. (2010) show that disclosure accelerates patch release (i.e., increases the instantaneous patch-release rate, leading to shorter time-to-patch), consistent with disclosure imposing salient costs on vendors who delay. Theoretical work specifies when mediated disclosure is socially efficient. Cavusoglu et al. (2007) characterize responsible (coordinated) disclosure policies as those that minimize social loss and show non-obvious consequences of grace periods (the time window coordinators give vendors to develop patches before public disclosure) across single- and multi-vendor settings. Arora et al. (2008) model a social planner who sets disclosure timing to induce faster patches without unduly sacrificing quality, and analyze extensions with patch quality, partial adoption, and workarounds. Market-based mechanisms for vulnerability information also matter: Kannan and Telang (2005) compare unregulated market-based infomediaries against a public-good CERT-like coordinator and show that profit-driven infomediaries’ leakage incentives can yield inferior welfare, motivating care in the design of market instruments such as BBPs.
On the organizational side, firms face both reputational pressures and operational challenges in managing security. Using a field quasi-experiment, Tang and Whinston (2020) show that reputational sanctions—publicly listing and ranking negligent entities—reduce security negligence, with measurable spillovers to unlisted firms. From a dynamic risk-management perspective, Bensoussan et al. (2020) model security that deteriorates both continuously and abruptly, offering structural guidance for adapting protection and monitoring under time-varying exposure. Likewise, Mookerjee and Samuel (2023) consider security control when vulnerabilities are only partially observable, aligning with our modeling of residual severe and non-severe vulnerabilities at release. Additional evidence shows sizable real consequences of breaches in healthcare settings (Kwon and Johnson, 2025) and highlights how network and audit policies shape social cost (Ghosh et al., 2025).
At a field level, Kumar and Mallipeddi (2022) survey cybersecurity in operations and supply chains and call for models that embed security choices into core operating and strategic decisions—precisely the integration we undertake by jointly endogenizing release timing and post-release incentives via a bounty mechanism. That need is underscored by Massimino et al. (2018), who document inattention to digital confidentiality in operations and supply chain research and advocate designs that treat security as first-order.
Responsible disclosure models provide microfoundations for when coordination and grace periods minimize social loss (Arora et al., 2008; Cavusoglu et al., 2007). Policy instruments outside the vendor also shape equilibrium risk: Png and Wang (2009) compare enforcement against attackers with facilitating user precautions and show the conditions under which each lowers expected losses more effectively. Together with evidence that disclosure hastens patching (Arora et al., 2010), these results motivate our explicit cost for uncoordinated public disclosure and the BBP’s role in internalizing reports, structuring remediation, and shifting the vendor’s calculus.
Software development, release timing, and product strategy
We endogenize release timing jointly with a post-release discovery instrument. Related operations work offers complementary perspectives on pre/post-release effort. In maintenance, Kulkarni et al. (2009) formulate a queuing framework to optimally allocate effort, illuminating throughput–quality–delay trade-offs that also appear in pre-release testing. Coordination in distributed development affects the cost and timeliness of assurance; Xia et al. (2016) derive optimal coordination structures when development is distributed, implying that internal frictions can make pre-release testing more expensive or slower.
Crucially, Jiang et al. (2012) show that allowing post-release testing can rationalize earlier release yet lower lifetime field failures, even if more bugs remain at release, because testing continues in parallel with operations; their analysis also quantifies how market opportunity cost pulls release forward. On go-to-market levers, Li and Kumar (2022) analyze SaaS pricing and operations under subscription versus usage models, and Li et al. (2025) show how customizability and hybrid offerings change pricing and segmentation. Market structure also feeds back to quality choices: Zhou and Choudhary (2022) demonstrate how competition from open source can raise or lower proprietary quality and price depending on cost and usability differences.
Positioning and contribution
While Arora et al. (2006) studied how patching could facilitate earlier releases, our setting is distinct in both question and mechanism. Rather than asking how patching technology alone rationalizes early release, we study how a market design for post-release discovery, a BBP, reshapes incentives. Specifically, we jointly endogenize (i) pre-release testing via release timing and (ii) post-release incentive design (bounties and access), in the presence of strategic ethical and malicious actors who compete in winner-take-all discovery. We characterize the parameter region in which a BBP exists (linking normalized illicit gains and reputational payoffs), derive closed-form optimal bounties for severe and non-severe findings, and show that for private programs the optimal invite set is strictly below, but increasing in, the expected number of adversaries. We also characterize a baseline release-timing result: within the baseline model, BBP feasibility conditionally implies earlier release relative to the no-BBP benchmark. Its practical applicability is narrower, because governed post-release discovery affects real firms only when they can support triage, validation, and safe deployment operationally. These channels operate through who finds SVs first and how disclosures are controlled, rather than through patching economics alone.
Relative to the extant literature on patching, disclosure (Ahmed et al., 2021), and interdependent risk, we provide a unified, micro-founded treatment that embeds BBPs within core operations choices. We contribute: (i) closed-form bounty policies that combine reputational payoffs, breach costs, and competition among researcher types, complementing patching/liability and disclosure-timing studies (Arora et al., 2008; Kim et al., 2011; Sen et al., 2020) and dynamic protection under partial observability (Bensoussan et al., 2020; Mookerjee and Samuel, 2023); (ii) a feasibility region for BBPs in terms of normalized illicit and reputational payoffs, clarifying when market mechanisms can substitute for (or need) policy support; (iii) a new design insight for private BBPs, namely that the optimal invited expert set is strictly below, but increasing in, the anticipated number of adversaries, aligning with restricted-entry contest rationales; and (iv) a characterization of the conditional release-timing margin in the baseline model. The last result is intentionally narrower than a claim that BBPs generally substitute for internal testing in practice. Formally, it is a within-model conditional implication; practically, it identifies when governed post-release discovery can alter the marginal calculus of delay while still leaving strong complementarity between BBPs and internal assurance in levels. Finally, our analysis complements adjacent BBP studies (see e-Companion Section EC.12.2) on researcher motivations, timing, and cost effectiveness by connecting those levers directly to a firm’s release decision and quantifying the equilibrium reallocation of success probabilities between ethical and malicious hackers that underpins the profitability result and the baseline conditional timing result.
Model development
Software vendors face a recurrent release decision: ship sooner to capture time-sensitive commercial value and learning, or delay to reduce residual security risk. Pre-release software assurance includes manual and automated tests plus code review; it reduces, but does not eliminate, vulnerabilities. Virtually no complex software is released without residual vulnerabilities (Sen et al., 2020). Testing is costly in tools and skilled time, and it cannot replicate the full space of real user behavior or adversarial tactics. Adversarial techniques such as fuzzing help (Manès et al., 2019), yet no process can anticipate all cases. Post-release, firms combine several instruments to manage residual risk. Incident response and cybersecurity insurance primarily contain losses after exploitation. In contrast, patch management and BBPs aim to identify and remediate vulnerabilities before exploitation by accelerating discovery and controlled disclosure. Patching addresses known bugs once identified; post-release discovery occurs via internal monitoring, user reports, adversarial exploitation, public disclosure (e.g., CERT Coordination Center), and BBPs.
We next formalize vulnerability severity, since controlled disclosure choices and bounty design depend on impact. Software vulnerability severity reflects “the highest failure impact that the defect could cause” (IEEE Computer Society, 2010). One of the most widely used severity metrics, the Common Vulnerability Scoring System (CVSS), provides numerical scores (0.0–10.0) that correspond to qualitative scores: none, low, medium, high, and critical. 3 These ratings serve to inform users of potential impacts, help vendors prioritize fixes, and support vulnerability analysis (Munaiah and Meneely, 2016). We classify SVs into two categories: “severe” (corresponding to CVSS high and critical ratings) and “non-severe.” These categories align with different hacker capabilities and incentives. 4
Bug bounty programs
BBPs formalize post-release discovery: vendors publicly specify scope and rules and pay rewards to white-hat hackers for first, valid, actionable reports. 5 The bounty is paid only to the first valid reporter, so the mechanism is winner-take-all and pay-for-results. BBPs let vendors access specialized security expertise that would be costly to maintain in-house, while providing white-hat hackers with legal safe harbor, recognition, and monetary incentives. In contrast to fixed in-house testing budgets, BBP spending scales with delivered findings. By conditioning payment on private reporting and adherence to program rules, BBPs internalize reports and enable vendor-controlled disclosure until remediation. In practice, however, this governance function also requires verification, deduplication, severity classification, and researcher communication. These operating burdens matter for implementation because a program can attract low-quality or duplicative submissions, especially when report generation is partially automated, thereby raising effective triage cost even if gross discovery volume rises.
Large vendors sometimes run direct programs; smaller vendors frequently use platforms such as HackerOne or Bugcrowd (among others) that match researchers to programs, enforce safe-harbor norms, and provide triage and controlled-disclosure workflows. Platform-mediated BBPs have expanded participation and made programs viable for firms that could not attract sufficient independent attention. Our analysis focuses on vendor-initiated BBPs, which constitute the dominant model and align with our research question on vendor release and incentive design. Customer-initiated programs (e.g., an enterprise inviting testing of third-party software it relies on) involve different objectives and are outside our scope.
Model overview
Our model features a software vendor, white-hat hackers (WHHs), and black-hat hackers (BHHs). The vendor manages residual SV risk through release timing and severity-contingent bounties; hackers exert effort in winner-take-all discovery races. We distinguish expert WHHs (eWHH), who can discover severe and non-severe vulnerabilities, from non-expert WHHs (neWHH), who target non-severe vulnerabilities. BHHs operate outside legal bounds and pursue illicit gains by exploiting severe vulnerabilities (e.g., ransomware). We focus on technically sophisticated BHHs capable of high-impact exploitation; omitting less skilled adversaries who target only non-severe vulnerabilities centers the analysis on the policy-relevant risk of catastrophic loss. Types and motives are fixed during the game. Modeling gray-hat behavior or type switching would require a richer dynamic model and is left for future work.
We assume that
When BHHs find a severe SV before the rest, they obtain an illicit payoff (
BBP design affects participation and the skill mix of participating researchers. To incorporate this channel, e-Companion Section EC.11 introduces heterogeneous expertise among expert WHHs and an increasing outside option, yielding a cutoff participation condition and an endogenous expected expertise level among participants. In that extension, the severe bounty
E-Companion Table EC.1 provides abbreviations and variable definitions.
Hacker efforts, costs, and payoffs
Hackers choose their effort levels to find SVs, incurring quadratic costs. Let
Throughout, the effort variables should be interpreted as search intensity (the intensity or share of attention devoted to searching for a class of vulnerabilities) rather than as a sequential count of distinct bugs. The convexity of the cost function is a reduced-form way to capture increasing marginal opportunity and coordination costs of raising intensity (e.g., attention, verification, and reporting bandwidth), which helps support an interior equilibrium in the winner-take-all discovery contest. This interpretation does not require that the “next” vulnerability is technologically harder than the previous one.
The parameter
BHHs exclusively target severe SVs, as non-severe SVs offer little illicit gains. It is important to distinguish the BHH’s expected illicit gain (
The parameters
Software vendors face a critical trade-off: launching products rapidly to capture time-sensitive commercial value, customer learning, and ecosystem positioning versus delaying release to conduct rigorous pre-release security testing. The release time,
We assume
Success probabilities in vulnerability discovery
For any type of hacker, success is defined as being the first to discover a software vulnerability (SV). Success in vulnerability discovery is inherently a winner-take-all competition. 8 For WHHs, this structure emerges naturally from BBP rules that reward only the first WHH to report a previously unknown vulnerability. In general, being second yields no reward, regardless of independent discovery or effort invested. Similarly, while multiple BHHs could theoretically benefit from exploiting the same vulnerability, practical dynamics often make it a winner-take-all scenario. Once a BHH exploits a vulnerability and successfully extracts illicit gains, the exploitation itself often alerts the software vendor, leading to emergency workarounds or patching that prevents further exploitation by other BHHs. 9
To make the analysis tractable, we focus on type-symmetric equilibria where hackers of the same type (eWHH, neWHH, and BHH) face similar payoff structures and choose the same effort levels. In a type-symmetric equilibrium, the probability that any hacker discovers a bug first is inversely proportional to the total number of competitors—
Note that our assumed functional form for the success probabilities is qualitatively similar to that derived from an exponential distribution of bug discovery times (see e-Companion Section EC.2). In the exponential model, the probability that the focal eWHH
Two-stage Stackelberg game formulation
We model the strategic interaction between the software vendor and hackers as a Stackelberg game in which the vendor acts as the leader. Figure 1 depicts the sequence of the game. In the first stage, the software vendor commits to software release timing

Sequence of decisions in the Stackelberg game: The vendor chooses release time
We solve this two-stage game for subgame perfect equilibrium using backward induction. The solution involves first deriving the Nash equilibrium of the second-stage subgame among hackers for a fixed bounty amount and release time by the vendor in stage one. Then, incorporating these anticipated hacker responses, we solve the vendor’s first-stage optimization problem to determine the optimal release timing and bounty amounts.
In the second stage, hackers respond to the vendor’s choices of release time
The first and second terms on the RHS of (8) are the expected payoffs from finding severe and non-severe SVs, respectively. The last term is the effort cost of finding the SVs. Substituting equations (4) and (5) for success probabilities and equation (1) for the effort costs in (8) leads to the following equation:
The total expected payoff for neWHH is given by the following equation:
Finally, the total expected payoff for BHH is given by, where
In a type-symmetric equilibrium, the eWHH may allocate effort to discovering severe and non-severe SVs (i.e.,
When
Lemma 1 states that expert white hats do not allocate any effort to finding non-severe SV when the expected payoff of eWHH from severe bugs (normalized by the effort cost multiplier) is greater than the expected payoff from non-severe bugs. Additionally, it specifies the optimal effort allocation for each type of hacker. These optimal solutions follow directly from the concavity of hackers’ payoff functions with respect to their effort choices (
The relationship between these effort levels and discovery outcomes is captured in Lemma 2, which derives equilibrium first-discovery probabilities for severe vulnerabilities (expert WHHs vs. attackers) and a reduced-form non-severe reporting yield for non-expert WHHs in the type-symmetric equilibrium. 10
For fixed bounty amounts (
The severe-vulnerability success probabilities in (15) and (17) are obtained by substituting the optimal effort levels (equations (12) to (14)) into the severe-vulnerability probability expressions (equations (4) and (7)) and imposing type symmetry. 11 For each type of hacker, the probabilities reveal key insights into competitive dynamics. For eWHH, the success probability increases with a higher reward-to-cost ratio and the likelihood of residual vulnerabilities, while decreasing with BHHs’ illicit gain-to-cost ratio. The neWHHs’ success probability exhibits a simpler relationship, being directly proportional to both the likelihood of residual non-severe vulnerabilities and the bounty offered, while inversely related to the number of competing neWHHs. BHHs’ success probability, conversely, increases with their illicit gain-to-cost ratio and decreases with the ethical hackers’ reward-to-cost ratio, while also being positively related to the likelihood of residual vulnerabilities. These probabilities underscore the competitive nature of vulnerability discovery between ethical and malicious hackers. The success probability of one group necessarily affects the other in a winner-take-all dynamic, where only the first to discover a vulnerability receives the benefit. This relationship is particularly evident in severe vulnerabilities, where eWHHs and BHHs directly compete for discovery. The relationship between bounty amounts and success probabilities is particularly notable, as illustrated in Figure 2. As the monetary reward (bounty) offered to WHHs increases, their success probability rises, while that of BHHs decreases. The increased success probability for WHHs stems from higher bounties incentivizing them to exert more effort in searching for vulnerabilities, improving their chances of discovery before BHHs can exploit them.

Success probability for WHH and BHH versus bounty for SV offered to WHH. WHH = white-hat hacker; BHH = black-hat hacker; SV = software vulnerability.
The timing of software release plays a crucial role through its effect on the likelihood of residual vulnerabilities. Earlier releases typically mean higher likelihood of residual vulnerabilities, which increases the success probabilities for all types of hackers proportionally. This relationship between release timing and vulnerability discovery success probabilities becomes particularly important when considering the vendor’s optimal release strategy.
In the first stage of the game, the software vendor determines the bounty amounts
To characterize the vendor’s optimal strategy, we first analyze the optimal bounty choices for any chosen release timing decision. The following proposition characterizes the optimal bounties Conditional on the vendor’s release-time choice, the optimal bounty for severe vulnerabilities balances (i) the vendor’s expected marginal loss from a severe breach and the malicious hackers’ expected illicit gains against and (ii) the vendor’s expected payout cost and the incentives needed to shift discovery toward ethical researchers. Consequently, the optimal severe-vulnerability bounty is increasing in the vendor’s loss from a severe breach and in malicious hackers’ illicit gains, and decreasing in ethical hackers’ reputational incentives. The optimal bounty for non-severe vulnerabilities is proportional to the expected loss from non-severe defects that are discovered by users.
When eWHHs differ in expertise and participation is endogenous, higher
The closed-form bounty schedule provides a micro-founded pricing rule for coordinated post-release discovery that complements operations work on patching/liability and disclosure timing. By jointly incorporating vendor breach costs, attackers’ normalized illicit gains, and ethical hackers’ reputational payoffs, the policy links incentive design to the speed–security trade-off emphasized in the OM and IS literature (see e-Companion Section EC.12.4). It also connects BBPs to the economics of innovation tournaments, where prize magnitude and access rules shape participation and effort (see e-Companion Section EC.12.3). The severe-bounty formula clarifies how monetary rewards should rise with breach stakes and attackers’ outside options and fall with the strength of reputational payoffs. Because the optimal severe bounty increases with the likelihood of residual severe vulnerabilities at release, the design is intrinsically dynamic: as testing reduces residual risk, the efficient severe bounty declines, tying payout policy to the vendor’s release timing and test intensity choices. Managerially, the rule has two practical implications. First, bounty budgets should be calibrated against two observables: internal breach-cost models for severe incidents and external indicators of exploit value or attacker effort cost, which jointly proxy the attacker’s normalized gains. Second, vendors can economize on monetary outlays by deliberately cultivating reputation mechanisms, public acknowledgments, leaderboard visibility, and common vulnerabilities and exposures (CVE) credits, because reputational benefits substitute for cash in the optimal policy. Together, these design principles translate the theory into a compensation scheme that is consistent with controlled disclosure objectives in operations and with observed contest dynamics, and they situate BBP pricing squarely within core OM decisions on quality assurance and post-release remediation (see e-Companion Sections EC.12.3 and EC.12.4).
In the model,
Feasibility region for the existence of a BBP
For a bounty program to exist, the vendor should be willing to pay positive bounties to WHHs. In addition, it should also be the case that WHHs and BHHs have positive probabilities of finding SVs first. Using the expressions we derive for the success probabilities in equations (15) to (17) and the optimal bounties in equations (20) to (21), we can obtain conditions to support the existence of a bounty program. Lemma 3 reports the requirements the parameters should satisfy. A BBP is feasible, in the sense that the vendor optimally offers a strictly positive severe-vulnerability bounty and the severe-bug discovery contest yields interior success probabilities for both ethical and malicious hackers, if and only if the net incentive advantage of malicious hacking (normalized illicit gains) over ethical hacking (normalized reputational incentives) lies within a bounded interval. The lower and upper bounds of this interval are determined by the vendor’s breach losses, the intensity of competition in the severe-bug discovery contest (the number of ethical and malicious researchers searching for severe bugs), and the release-time-dependent severity exposure. (Feasibility of a BBP)

Feasibility region for bug bounty programs (BBPs) (Lemma 3). A paid BBP with interior severe-vulnerability discovery outcomes exists if and only if the net normalized incentive gap
Derivations and additional characterization of the bounds are provided in the e-Companion (Section EC.6). In particular, since
To determine the effect of establishing a BBP on the release time of the software and the firm’s profits, we start by considering the optimal release time of the software for a vendor without BBP.
Optimal release time without BBP
First, note that in the absence of a BBP,
There are potentially three types of costs when SVs are discovered. First, the vendor may incur the cost
The objective function of the vendor without a bounty program becomes as follows:
Assuming the interior region where
The assumptions that
Lemma 3 establishes the bounds for
The following proposition states the effect of the BBP on vendor profits.
Whenever a BBP is feasible (as defined in Lemma 3), adopting the program strictly increases the vendor’s expected profit relative to not adopting a BBP.
Proposition 2 follows from equation (30): Since the second term In the baseline model, whenever a BBP is feasible (as defined in Lemma 3), the vendor optimally releases the software earlier than it would in the absence of a BBP ( (Earlier Release With BBP in the Baseline Model)
The proof, included in e-Companion Section EC.10, establishes a within-model result: in the baseline specification, feasibility of the BBP is conditionally sufficient for earlier release relative to the no-BBP benchmark. The proposition does not formally impose triage congestion, validation delays, or deployment frictions; those practical considerations enter through the discussion below and through e-Companion Section EC.9. We therefore interpret the result narrowly when mapping it to practice. It is not a claim that BBPs broadly replace internal assurance. Rather, the proposition identifies how the BBP’s risk-conversion mechanism changes the marginal calculus of delay in the baseline model, whereas the real-world relevance of that margin depends on whether the vendor can validate reports, triage them quickly, and translate valid findings into safely deployable patches without substantial backlog.

Impact of bug bounty program (BBP) on optimal release time and profit in the baseline model. An illustrative numerical visualization consistent with Lemma 3 and Propositions 2 and 3. Within the baseline-model feasibility region, BBP adoption shifts expected profit upward and moves the optimal release time earlier.
By evaluating the vendor’s profit maximization condition with BBP at the optimal release time chosen without BBP, we show that the vendor prefers to release earlier when BBP is present. To understand Proposition (3) intuitively, note that the vendor’s profit function with a BBP includes additional positive terms arising from optimal bounty rewards that depend on the probability of residual vulnerabilities. These bounty-related terms decrease with delay because, as more testing is carried out,
The direction and strength of the timing effect also depend on the shape of launch value and on the program’s operating burden. If delay has a steep commercial cost, then governed post-release discovery can make the final units of pre-release delay less attractive. If, however, market conditions or AI-mediated interface bypass flatten the launch-value gradient
E-Companion § EC.9 shows that the profitability and timing implications of a BBP rely on operational readiness. If patching is slow, the vendor suffers prolonged post-discovery exposure, captured there by the term
Optimal scope for private BBPs
We now consider
Solving the first-order condition,
The solution yields three structural insights. First, the optimal invite size
This scope result advances OM research on contest design by providing a security-specific microfoundation for restricted entry. Consistent with innovation tournament theory (see e-Companion Section EC.12.3), restricting the invited pool maintains high individual stakes while simultaneously mitigating operational frictions such as triage congestion and duplicate submissions (Akgul et al., 2023). Managerially, this reframes crowd size as a dynamic operating lever: private BBPs should be sized to the threat (
This article analyzes how BBPs reshape vendors’ security and release choices by embedding coordinated post-release vulnerability discovery and disclosure into the firm’s operating problem. In the model, the vendor chooses release time and severity-contingent bounties, while expert and non-expert ethical hackers and malicious attackers compete in winner-take-all discovery races.
The analysis yields four core findings. First, we derive closed-form bounty schedules. The optimal severe-vulnerability bounty increases with the vendor’s breach loss and attackers’ normalized illicit gains, decreases with ethical hackers’ reputational payoffs, and rises with the likelihood of residual severe vulnerabilities at release. The optimal non-severe bounty is proportional to the expected loss from non-severe defects that would otherwise be discovered by users. Second, we characterize a feasibility interval, expressed in normalized illicit and reputational terms, that guarantees positive bounties and interior discovery outcomes. Within this interval, a BBP strictly increases expected vendor profit by reallocating first-discovery probability on severe vulnerabilities away from attackers and toward coordinated ethical reporting, thereby converting catastrophic breach exposure into bounded, pay-for-results expenditures. Third, for private BBPs, the optimal invited set of expert ethical hackers increases with expected threat intensity but remains strictly smaller than the expected number of attackers, reflecting winner-take-all incentive dilution. Fourth, in the baseline model, BBP feasibility conditionally implies earlier release relative to the no-BBP benchmark because governed post-release discovery reduces the marginal benefit of additional delay. This fourth result is intentionally narrow: it is a within-model conditional implication, whereas its practical relevance depends on operational readiness, triage throughput, and safe deployment capacity.
For practice, BBPs are best interpreted as an additional governance layer that complements strong internal assurance while changing how residual vulnerability risk is managed. Managers should calibrate severe bounties against breach-loss models and attacker monetization proxies, actively invest in reputation mechanisms (e.g., public acknowledgment and researcher status) that substitute for cash in attracting high-effort reporting, and, when programs are private, right-size the invited set to preserve effort incentives and limit triage congestion. If scarcity in illicit markets raises the expected monetization of the remaining severe vulnerabilities, the model predicts that vendors must raise severe bounties to remain competitive, although this pressure is naturally capped by the exploitability and economic value of any given bug. Even when the release-timing margin does not carry over to practice, these bounty-design, feasibility, and scope results continue to guide program design. When the baseline model’s conditional timing margin is practically relevant, it is most plausible when launch-value losses from delay remain steep, report-processing capacity is not overwhelmed by low-quality or duplicative submissions, and valid reports can be translated into safely deployable fixes without substantial backlog.
These results also have governance and policy implications. Coordinated disclosure internalizes reporting and concentrates vulnerability information with the vendor during remediation, which can reduce exploit risk but also create information asymmetry for users. Governance mechanisms that preserve coordinated reporting while limiting socially costly opacity include: (i) time-bounded disclosure norms and staged disclosure (limited details pre-patch, fuller details post-patch), (ii) standardized severity and reporting formats that reduce classification disputes and improve comparability, and (iii) incentives or requirements tied to remediation service levels and transparent post-patch disclosure. The goal is to retain the efficiency gains from coordinated discovery while limiting user exposure during remediation.
Several limitations suggest directions for future research. The baseline takes hacker populations as exogenous; the e-Companion endogenizes expert participation and expertise selection among ethical hackers (e-Companion Section EC.11), and additional work could jointly endogenize attacker entry and dynamic learning in a unified framework. A second limitation concerns report-processing frictions. Low-quality or duplicative submissions, including AI-assisted report noise, raise verification and triage cost, while AI-assisted engineering can shorten diagnosis and patch drafting. A fuller treatment would model these offsetting forces formally rather than as reduced-form robustness checks. A third limitation concerns the remediation window and vendor reputation. E-Companion Section EC.9 shows that slower patching weakens the benefit of governed discovery; future work could extend this by modeling vendor-side reputational penalties for known-but-unpatched vulnerabilities, particularly when disclosure or leakage occurs before a fix is deployed. Finally, our analysis is firm-centric; a welfare extension would incorporate user losses during nondisclosure and the value of precaution enabled by earlier information, and would study how optimal bounty design interacts with disclosure rules and reporting requirements that internalize these externalities.
Supplemental Material
sj-pdf-1-pao-10.1177_10591478261448668 - Supplemental material for Merchants of vulnerabilities: How bug bounty programs benefit software vendors
Supplemental material, sj-pdf-1-pao-10.1177_10591478261448668 for Merchants of vulnerabilities: How bug bounty programs benefit software vendors by Esther Gal-Or, Muhammad Zia Hydari and Rahul Telang in Production and Operations Management
Footnotes
Acknowledgments
The authors gratefully thank the reviewers of POM.
Funding
The authors received no financial support for the research, authorship and/or publication of this article.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Notes
How to cite this article
Gal-Or E, Hydari MZ and Telang R (2026) Merchants of vulnerabilities: How bug bounty programs benefit software vendors. Production and Operations Management x(x): 1–19.
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
