CyLab Seminar: Rahul Telang

May 06, 2024

12:00 p.m. ET

Zoom or CIC room 4105, Panther Hollow

Rahul Telang

*Please note: this CyLab seminar is open only to partners and Carnegie Mellon University faculty, students, and staff.

Speaker:
Rahul Telang
Trustees Professor of Information Systems, Carnegie Mellon University's Heinz College of Information Systems and Public Policy

Talk Title:
Merchants of Vulnerabilities: How Bug Bounty Programs Benefit Software Vendors

Abstract:
Software vulnerabilities enable exploitation by malicious hackers, compromising systems and data security. This paper examines bug bounty programs (BBPs) that incentivize ethical hackers to discover and responsibly disclose vulnerabilities to software vendors. Using game-theoretic models, we capture the strategic interactions between software vendors, ethical hackers, and malicious hackers.  First, our analysis shows that software vendors can increase expected profits by participating in BBPs, explaining their growing adoption and the success of BBP platforms. Second, we find that vendors with BBPs will release software earlier, albeit with more potential vulnerabilities, as BBPs enable coordinated vulnerability disclosure and mitigation.  Third, the optimal number of ethical hackers to invite to a BBP depends solely on the expected number of malicious hackers seeking exploitation. This optimal number of ethical hackers is lower than but increases with the expected malicious hacker count.  Finally, higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers.  These findings highlight BBPs' potential benefits for vendors beyond profitability. Earlier software releases are enabled by managing risks through coordinated disclosure. As cybersecurity threats evolve, BBP adoption will likely gain momentum, providing vendors with a valuable tool for enhancing security posture and stakeholder trust.  Moreover, BBPs envelop vulnerability identification and disclosure into new market relationships and transactions, impacting software vendors' incentives regarding product security choices like release timing.

Bio:
Rahul Telang is Trustees professor of Information systems at the Heinz College at Carnegie Mellon University and at the Tepper School of Business (Courtesy). Professor Telang is broadly interested in the economic aspects of Information security and how it affects consumers, firms, and policymakers. He has done work on the Digital Media Industry with a particular focus on how digitization (and associated piracy) in copyrighted industries is affecting the incentives of content providers, distributors and users. His research is directed toward understanding and shaping an optimal copyright and intellectual property policy in the Digitization Era. He is co-director of a center, IDEA (Initiative for Digital Entertainment Analytics), and a popular book. He is the recipient of the NSF Career Award, NSA/NSF grant for work in information security and privacy, a Sloan Foundation fellowship, and numerous Google awards. Dr. Telang has published extensively in many top management and policy journals like Management Science, Marketing Science, ISR, MIS Quarterly, Journal of Policy and Management, and NBER chapters.

Upcoming Events