Bug-bounty programs have the potential to harvest the effort and diverse knowledge of thousands of independent security researchers, but running them at scale is challenging due to misaligned incentives and misallocation of effort. In our research, we discuss these challenges in detail and present relevant empirical data. We develop an economic framework consisting of two models that focus on evaluating different policies for improving the effectiveness of bug-bounty programs. Further, we discuss regulatory-policy challenges and questions related to vulnerability research and disclosure, such as mandatory bug bounties and the relation to other cyber-security policies.

中文翻译：

---

为漏洞赏金平台和安全漏洞发现制定有效的策略

Bug 赏金计划有可能收获数千名独立安全研究人员的努力和多样化的知识，但由于激励措施错位和工作分配不当，大规模运行它们具有挑战性。在我们的研究中，我们详细讨论了这些挑战并提供了相关的经验数据。我们开发了一个由两个模型组成的经济框架，这些模型侧重于评估不同的政策，以提高漏洞赏金计划的有效性。此外，我们讨论了与漏洞研究和披露相关的监管政策挑战和问题，例如强制性漏洞奖励以及与其他网络安全政策的关系。