Bug bounties: Bad dog! Have a treat!
Bug bounty programs are probably very cost-effective for software vendors, but they reward bad behavior
Computerworld - Last month at the FIRST conference (the Forum of Incident Response and Security Teams) in Bangkok, Microsoft announced that it's joining the "bug bounty" crowd. Some might say, "Finally!" but I'm not convinced it's a positive move. No doubt, there are strong arguments both for and against bug bounty programs, but in the long run, I'm not a fan.
Bug bounty programs are used by quite a few software organizations to encourage their customers and the general public to report security vulnerabilities directly to the software organization. Most such programs encourage (or require) a responsible disclosure process, but in the end the vulnerability and its remediation are published to the world. So what's the big deal? Let's consider the pros and cons a bit.
In favor of bug bounties
Bug bounty programs are in essence an extension of security testing programs. They are an ad hoc form of outsourcing a company's security testing -- to a community of people who likely aren't under NDA and, as non-employees, have absolutely no fiduciary responsibility to the software company, I should add. From the company's standpoint, they are relatively cost-effective, since the vendor ends up paying only for actual vulnerabilities, not for time spent trying (and failing) to find the bugs.
In Microsoft's case, it will pay $100,000 for new operating system vulnerabilities and an additional $50,000 for successful mitigation information. (Microsoft also offers $11,000 for critical vulnerabilities found in Internet Explorer.) I suspect these amounts are far less money than Microsoft would pay its own employees for vulnerability exploration and mitigation development work. Any vulnerability explorer will no doubt agree that far more time is spent searching and failing than searching and succeeding. Bug bounty sponsors have found a way to make all that searching-and-failing time cost-free to the software companies.
I'm confident that companies with bug bounty programs have weighed these costs carefully. Having held off on a public program for so long, Microsoft seems likely to have put a great deal of consideration and justification into its decision. Of course, I don't have access to the actual factors that influenced these decisions, but it stands to reason that the cost structure is beneficial for the sponsoring companies.
Against bug bounties
Part of what makes me dislike bug bounty programs is the fact that they reward bad behavior. I can't help but think that the bug finders are in essence holding a metaphorical gun to the heads of the software companies by saying, "pay up or I'm going to publish this vulnerability to the world". Perhaps that explains Microsoft's reluctance till now to embrace bug bounties. Let me explain why I think bug bounty programs are a doggie treat for bad pooches.
More by Kenneth van Wyk
- Kenneth van Wyk: We can't just blame users
- Kenneth van Wyk: If you want developers to give a hoot about security, take a lesson from the squirrels
- Kenneth van Wyk: Looking beyond Heartbleed
- Kenneth van Wyk: Where mobile apps go wrong
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Security, Privacy and Trust in Email Management This white paper discusses a SaaS-based email management solution that delivers the security, continuity and archiving capabilities your organization demands.
- Unifying Secuirty Operations Agile enterprises know that the way to quickly identify and react to threats to the business is to break down operational siloes by...
- Is Your Credit Card Data Safe from Hacks? News of recent credit card hacks has rocked consumer confidence. Even talk of a security breach can bring on a PR firestorm. What...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Application Security White Papers | Webcasts