Send message to Author

Paper short abstract

Cybersecurity is increasingly outsourced to a crowd of "ethical hackers" operating remotely. By logging onto bug bounty platforms, anyone can potentially start earning money by finding vulnerabilities for organizations remotely. This has reshaped hacker communities and cybersecurity practices.

Paper long abstract

The rapid digitization of the global economy has birthed a unique vulnerability, prompting organizations to increasingly rely on the crowdsourcing of cybersecurity as a defensive measure. Bug bounty programs represent a sophisticated mode of outsourcing where the task of identifying system vulnerabilities is delegated to a global, self-employed crowd of "ethical hackers". This arrangement serves as a prime example of geographical arbitrage, strategically juggling distance and labor costs, often attracting a precarious workforce from abroad to reduce organizational risk.

This paper explores the subtleties of outsourcing security, a field traditionally defined by strict internal confidentiality. By fragmenting security into discrete tasks, organizations engage in a form of compartmentalization that makes the "greater whole" of the information system difficult for the external worker to fully apprehend. Drawing on qualitative investigations into the bug bounty industry, I analyze how this delegation transforms the hacker ethos, evolving it from a counter-cultural identity into a standardized, professionalized form of platform labor.

Furthermore, I examine the unexpected effects of this shift, such as the emergence of a form of work characterized by extreme uncertainty, where hunters search for vulnerabilities without a guarantee of payment. By focusing on the organization, nature, and status of these workers, the paper questions the limits of what is outsourceable. Ultimately, I argue that while bug bounties are framed as effective tools for transparency, they simultaneously entail the risk of reinforcing unequal international divisions of labor and disrupt traditional security relationships, raising critical questions regarding the everyday ethics of digital delegation.