Authors: Ryan Ellis, Jaikrishna Bollampalli
This paper considers the utility of one such proposed strategy: the integration of bug bounty programs with open source projects. Stakeholders have proposed the expanded use of bounty programs—vulnerability reward programs that compensate participants that identify and disclose qualifying bugs—as one possible way to enhance OSS.
This paper examines the risks and opportunities associated with integrating bounty programs with open source projects. It argues that while bounties can enhance mature projects by reducing the costs associated with searching for and fixing previously unreported flaws, significant potential adverse impacts are possible. As such, open source projects should exhibit care when adopting bug bounty programs. The paper also identifies the benefits and harms associated with integrating bounty programs with OSS; and it uncovers the key prerequisites for successful integration.