This study investigates how reward incentives affect the efficacy of bug bounty programs, focusing on the impact of Google’s reward increase policy on the quantity and quality of reported vulnerabilities. Employing empirical economic methods—including elasticity estimation and participant-level behavioral decomposition—the study provides the first quantitative assessment of heterogeneous effects across novice and experienced security researchers. Results show that a 200% increase in top-tier rewards significantly boosts submissions of high-value vulnerabilities. This increase stems from complementary responses: newcomers contribute approximately 58%, while seasoned researchers contribute ~42%. The findings reveal a dual function of incentive design—both attracting elite newcomers and redirecting experienced researchers toward higher-impact targets. These results deliver critical causal evidence for platform-based collaborative security governance and inform evidence-driven policy design for bounty programs.

Bug bounty programs have contributed significantly to security in technology firms in the last decade, but little is known about the role of reward incentives in producing useful outcomes. We analyze incentives and outcomes in Google's Vulnerability Rewards Program (VRP), one of the world's largest bug bounty programs. We analyze the responsiveness of the quality and quantity of bugs received to changes in payments, focusing on a change in Google's reward amounts posted in July, 2024, in which reward amounts increased by up to 200% for the highest impact tier. Our empirical results show an increase in the volume of high-value bugs received after the reward increase, for which we also compute elasticities. We further break down the sources of this increase between veteran researchers and new researchers, showing that the reward increase both redirected the attention of veteran researchers and attracted new top security researchers into the program.