back to article Crowdsourced flaw-finding cheaper than in-house bug hunters

A study into the once-controversial practice of vulnerability rewards programs (VRPs) – paying researchers bug bounties for reporting security flaws – has found that for browser builders, the practice is not only more effective at spotting problems that hiring code-checkers, it's also much better value for the money. "We find …

COMMENTS

This topic is closed for new posts.
  1. andreas koch
    Devil

    Not just cheaper.

    . . ., but there's no sign that Apple's likely to budge on its longstanding policy of not paying for bugs

    Ha. That's because there's no such thing as an Apple bug. You're holding it wrong.

    Apart from the obligatory Apple bash: Of course they will all like crowdsourcing. No pensions to pay, no sick pay, no NI contributions and I bet it's tax-deductible as advertising costs as well. And instead of 1000's of CVs of mediocre, boring, freshly unemployed CompSci MAs you get a proven bit of work from someone creative who might be worth looking into.

    Everyone (insert David-Tennant-type "well . . .") is a winner.

    1. Grikath

      Re: Not just cheaper.

      Something like that...

      There's plenty of peeps who would just do it for the creds. If only to enhance their l33t status.

      Bughunting is an art in and of itself, but you got to think about wanting to actually opening up your code to that kind of scrutiny. it may *sound* nice and cheap, but there's a number of rather unpleasant risks taking this route.

  2. Blain Hamon
    Facepalm

    Why do I have the sinking feeling

    that some enterprising bosses will ignore the fact that GOOG, Mozilla, and MSFT also have internal security experts; or that secure design is a must long before software is written (much less shipped!); and treat this supplement as a outright replacement, akin to the offshoring craze of before?

  3. JeevesMkII
    FAIL

    What's the total cost of disownership?

    Yeah, I'm sure not giving a damn about shipping secure software is cheaper than giving a damn.

    Except if you actually account for the cost to your reputation when the blackhats find all those flaws you shipped before the whitehats do. I think crime pays a lot better than your measly browser bug bounties.

    1. Robert Helpmann??
      Childcatcher

      Re: What's the total cost of disownership?

      Yeah, I'm sure not giving a damn about shipping secure software is cheaper than giving a damn.

      I am not so sure. During a training session in 2011 for McAfee's ePO product, we were told that the severity rating of vulnerabilities for most companies had to do with how bad it would be for the users if a given vulnerability were exploited. For most companies, that is, except Microsoft. In their case, the rating is based upon their liability, at least according to our trainer. So it seems that they do give a damn, in as much as they are on the hook for something bad happening as a result of their code's flaws.

      I have not tried to confirm this, but I have no reason to believe the person involved would either not know or would mislead us.

  4. John Tserkezis

    Isn't this akin to "hiring" 100 people to do a calculation, but only paying the one who completes it first?

    And then, expecting the remaining 99 who don't get paid to also not screw you over.

    Yeah, perfectly valid security model there.

    1. Anonymous Coward
      Anonymous Coward

      Re: the remaining 99

      How can they screw you over if you fix the reported flaw first? They'd have to know another unfixed flaw first, for which they could claim the money for that anyway.

  5. AceRimmer
    Happy

    "a special bonus $1337 reward for critical or clever flaw discoveries"

    With a reward like that, how can Google ever be considered evil?

  6. pben

    I recall a probably more previous case of Knuth offering a sliding rate for bug discovery in Tex. Initial discoveries had a low rate, but over time the rate went up, significantly, for the hard to find bugs. It worked well for a stable single release type product.

  7. Robert Carnegie Silver badge

    Is this a safe method?

    Of course software should be -written- safe but that isn't easy.

    In this case, I worry that rewarding your bug-finders means that a bug researcher has a choice of selling the bug to you the software publisher, -or- to a gang of hackers in Russia, China, or the NSA. Or, to all of those! So, in a way, you are paying people to hurt your product!

  8. Anonymous Coward
    Anonymous Coward

    Ahem

    "but there's no sign that Apple's likely to budge on its longstanding policy of not paying for bugs. "

    Of course they won't, don't you know, Apple computers never go wrong, are unhackable and don't have bugs.

This topic is closed for new posts.

Other stories you might like