Two years ago at CanSecWest Charlie Miller, Alex Sotirov and Dino Dai Zovi declared there would be no more free bugs. One of the leading philosophies for the “no more free bugs” statement is that an organization paying an individual security researcher legitimizes that research and dramatically changes the organization’s posture on reported bugs. The paying organization is saying, “this has monetary value to us and we will pay you, not attack you, for finding bugs”. The researcher is incentivized because they get money and have a known, legitimate, working relationship with the organization paying the bug bounty. Fast forward to two years later. A lot of discussion has happened regarding bug bounties in the public eye. And a lot of money has been paid for security bugs.
The concept of a bug bounty is not new and many famous hackers have offered them over the years. Donald Knuth probably has one of the oldest, and most prestigious, bug bounty programs in existence. The idea of someone who writes software offering money, even $1, for a bug is rare. Fast forward to two years since that statement at CanSecWest. Google has a web bug bounty program and a browser bug bounty program. Mozilla has a bug bounty program. ZDI also has a prominent bug bounty program (they run Pwn2Own). The experiment on bug bounties is running full steam at this point in the information security community.
Looking at the list of recent rewards from the Google Chrome Releases blog and seeing all of the $ signs next to security bugs makes me happy. I don’t feel insulted when I get paid to report bugs. I do think getting Google dollars for hard research work is gratifying. This leads me to the conclusion that these kind of programs “work” at a fundamental level. How well they work is a discussion for another time. If you had $100K to augment your security budget, every one of those dollars spent in a bug bounty program would represent a lot of research for the amount of money involved.
Both comments and trackbacks are currently closed.