Study Club, Labor Union or Start-Up? Characterizing Teams and Collaboration in the Bug Bounty Ecosystem

A unique bug bounty ecosystem has evolved in China. Platforms allow groups of hackers to register together to receive team-level awards. However, little is known about the prevalence and productivity of these teams, or how team members collaborate. To address this gap, we conducted a mixed-methods study. The first stage characterized teams from a top-down ecosystem perspective. We collected bug bounty rankings from 85 platforms, using fuzzy-matching to identify 2.1k unique teams and 5.9k hunters. We show that 46% of users are registered as part of a team, and hunters with teams are more than twice as productive as hunters without teams. The typical team has less than 10 members and only operates on a handful of platforms, but we also identified mega teams participating in more than 50 platforms with hundreds of team members. The second phase provided bottom-up insights into why hackers join teams and how they collaborate within teams. Our semi-structured interviews (n = 18) reveal bug hunting teams are multi-faceted–part study club, part labor union, and part start-up. Teams act like study clubs in enabling knowledge exchange and skills development, and act like labor unions in negotiating with bug bounty platforms and vendors. Hunter teams also displayed company-like aspects when earning and sharing revenue, and also creating rules that members should follow. In doing so, hunter teams help to address three of the main challenges that bug hunters face, namely skills development, negotiating with large technology companies, and income uncertainty.