Organizational Learning on Bug Bounty Platforms

Crowdsourced vulnerability discovery has become an increasingly popular method to find security vulnerabilities in a system. In this research, we have analyzed the firm's experience-performance relationship in resolving such security vulnerabilities on bug-bounty platforms. Using a dataset from HackerOne, a major bug bounty platform, we have shown that the firms' vulnerability resolving time on the platform has a U-shape relationship with their experience in resolving the reports. We argue that the firms over-generalize their limited experience initially, which leads to a negative experience effect on resolving performance. However, as the firms encounter more reported vulnerabilities, the actual learning effect dominates the experience effect and improves the firms' resolving performance. We further show that the firms' resolving performance depends on the relevance of the information they received. When the reported vulnerability is relevant and receives a bounty reward, it alleviates the over-generalizing effect but introduces an information overload effect.