Bug bounty programs were once novel, now they are common. Today, everyone—from United Airlines to the Department of Defense—seems to have a bounty program. Paying security researchers for flaws appears to offer up a “golden age of hacking.” Yet, the widespread adoption and institutionalization of bug bounty programs carries real risks for workers and the public. Drawing on the recent Data & Society Report co-authored with Yuan Stevens, Bounty Everything: Hackers and the Making of the Global Bug Marketplace (2022), this talk will explore how bounty programs transform the work of finding, disclosing, and fixing bugs. It reveals the new challenges and unexpected hazards that bounty programs pose to security researchers and documents how relying on vulnerable workers to fix vulnerable systems can lead to a world full of bugs. As bounty programs are adopted as a model for addressing a larger swatch of sociotechnical harms, the talk outlines how bounty programs can be reimagined to ensure an equitable and secure future.


Ryan Ellis is an Associate Professor of Communication Studies at Northeastern. Ellis' research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity. He is the author of Letters, Power Lines, and Other Dangerous Things: The Politics of Infrastructure Security (MIT Press, 2020) and the editor (with Vivek Mohan) of Rewired: Cybersecurity Governance (Wiley, 2019). Prior to joining the Department, Ellis held fellowships at the Harvard Kennedy School’s Belfer Center for Science and International Affairs and at Stanford University’s Center for International Security and Cooperation (CISAC). He received a Ph.D. in Communication from the University of California, San Diego.