Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem

Yangheran Piao, Temima Hrle, Daniel W. Woods, Ross Anderson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

A unique bug bounty ecosystem has evolved in China. Platforms allow groups of hackers to register together to receive team-level awards. However, little is known about the prevalence and productivity of these teams, or how team members collaborate. To address this gap, we conducted a mixed-methods study.

The first stage characterized teams from a top-down ecosystem perspective. We collected bug bounty rankings from 85 platforms, using fuzzy-matching to identify 2.1k unique teams and 5.9k hunters. We show that 46% of users are registered as part of a team, and hunters with teams are more than twice as productive as hunters without teams. The typical team has less than 10 members and only operates on a handful of platforms, but we also identified mega teams participating in more than 50 platforms with hundreds of team members. The second phase provided bottom-up insights into why hackers join teams and how they collaborate within teams. Our semi-structured interviews (n = 18) reveal bug hunting teams are multi-faceted—part study club, part labor union, and part start-up. Teams act like study clubs in enabling knowledge exchange and skills development, and act like labor unions in negotiating with bug bounty platforms and vendors. Hunter teams also displayed company-like aspects when earning and sharing revenue, and also creating rules that members should follow. In doing so, hunter teams help to address three of the main challenges that bug hunters face, namely skills development, negotiating with large technology companies, and income uncertainty.
Original languageEnglish
Title of host publication2025 IEEE Symposium on Security and Privacy
PublisherInstitute of Electrical and Electronics Engineers
Publication statusAccepted/In press - 16 Sept 2024
Event46th IEEE Symposium on Security and Privacy - The Hyatt Regency San Francisco, San Francisco, United States
Duration: 12 May 202515 May 2025
https://sp2025.ieee-security.org/index.html

Publication series

NameIEEE Symposium on Security and Privacy
PublisherInstitute of Electrical and Electronics Engineers
ISSN (Print)1081-6011
ISSN (Electronic)2375-1207

Symposium

Symposium46th IEEE Symposium on Security and Privacy
Abbreviated titleIEEE S&P 2025
Country/TerritoryUnited States
CitySan Francisco
Period12/05/2515/05/25
Internet address

Fingerprint

Dive into the research topics of 'Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem'. Together they form a unique fingerprint.

Cite this