“Bounty Everything: Hackers and the Making of the Global Bug Marketplace”
Data & Society, January, 2022
By Ryan Ellis & Yuan Stevens
In Bounty Everything: Hackers and the Making of the Global Bug Marketplace, researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs—programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.
Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms—the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework—they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next.
Bounty Everything offers to reimagine how bounty programs can better serve the interests of both computer security and the workers that protect our digital world. Ellis & Stevens argue that if bounty programs are not designed and implemented properly, “this model can ironically perpetuate a world full of bugs that uses a global pool of insecure workers to prop up a business model centered on rapid iteration and perpetual beta.”
About the Authors:
Ryan Ellis is an Assistant Professor of Communication Studies at Northeastern University. His research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity. His current research project focuses on the invention of the market for software bugs. He is the author of the upcoming Letters, Power Lines, and Other Dangerous Things: The Politics of Infrastructure Security (MIT Press) and the co-editor of Rewired: Cybersecurity Governance (Wiley, 2019).
Yuan (“You-anne”) Stevens is a legal and policy expert focused on information integrity, data protection and human rights. She works towards a world where powerful actors—and the systems they build—are held accountable to the public, especially when it comes to equality-seeking communities. She brings years of international experience to her work, having examined the impacts of technology on marginalized populations in Canada, the US and Germany. She obtained her joint JD/BCL from McGill University in 2017.