Abstract / Description of output
A unique bug bounty ecosystem has evolved in China. Platforms allow groups of hackers to register together to receive team-level awards. However, little is known about the prevalence and productivity of these teams, or how team members collaborate. To address this gap, we conducted a mixed-methods study.
The first stage characterized teams from a top-down ecosystem perspective. We collected bug bounty rankings from 85 platforms, using fuzzy-matching to identify 2.1k unique teams and 5.9k hunters. We show that 46% of users are registered as part of a team, and hunters with teams are more than twice as productive as hunters without teams. The typical team has less than 10 members and only operates on a handful of platforms, but we also identified mega teams participating in more than 50 platforms with hundreds of team members. The second phase provided bottom-up insights into why hackers join teams and how they collaborate within teams. Our semi-structured interviews (n = 18) reveal bug hunting teams are multi-faceted—part study club, part labor union, and part start-up. Teams act like study clubs in enabling knowledge exchange and skills development, and act like labor unions in negotiating with bug bounty platforms and vendors. Hunter teams also displayed company-like aspects when earning and sharing revenue, and also creating rules that members should follow. In doing so, hunter teams help to address three of the main challenges that bug hunters face, namely skills development, negotiating with large technology companies, and income uncertainty.
The first stage characterized teams from a top-down ecosystem perspective. We collected bug bounty rankings from 85 platforms, using fuzzy-matching to identify 2.1k unique teams and 5.9k hunters. We show that 46% of users are registered as part of a team, and hunters with teams are more than twice as productive as hunters without teams. The typical team has less than 10 members and only operates on a handful of platforms, but we also identified mega teams participating in more than 50 platforms with hundreds of team members. The second phase provided bottom-up insights into why hackers join teams and how they collaborate within teams. Our semi-structured interviews (n = 18) reveal bug hunting teams are multi-faceted—part study club, part labor union, and part start-up. Teams act like study clubs in enabling knowledge exchange and skills development, and act like labor unions in negotiating with bug bounty platforms and vendors. Hunter teams also displayed company-like aspects when earning and sharing revenue, and also creating rules that members should follow. In doing so, hunter teams help to address three of the main challenges that bug hunters face, namely skills development, negotiating with large technology companies, and income uncertainty.
Original language | English |
---|---|
Title of host publication | 2025 IEEE Symposium on Security and Privacy |
Publisher | Institute of Electrical and Electronics Engineers |
Publication status | Accepted/In press - 16 Sept 2024 |
Event | 46th IEEE Symposium on Security and Privacy - The Hyatt Regency San Francisco, San Francisco, United States Duration: 12 May 2025 → 15 May 2025 https://sp2025.ieee-security.org/index.html |
Publication series
Name | IEEE Symposium on Security and Privacy |
---|---|
Publisher | Institute of Electrical and Electronics Engineers |
ISSN (Print) | 1081-6011 |
ISSN (Electronic) | 2375-1207 |
Symposium
Symposium | 46th IEEE Symposium on Security and Privacy |
---|---|
Abbreviated title | IEEE S&P 2025 |
Country/Territory | United States |
City | San Francisco |
Period | 12/05/25 → 15/05/25 |
Internet address |