Bug Bounties: Outbidding the Black Hats

snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"

This overlooks various marketing opportunities

[afourney]

Bug bounties are paid once. Meanwhile, there are many black hats who may be willing to pay for an exploit package, access to bot nets, etc. I imagine there is more money to be made using bugs for nefarious purposes.

lies

[Anonymous Coward]

The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish. Google offers bounties for its web applications, and they are hardly open source. There are plenty of vulnerabilities that can be found using black-box techniques. Facebook isn't open source either and will shortly be offering bounties: http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml (I regret deleting my facebook account)

Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

Re:This overlooks various marketing opportunities

[Riceballsan]

I don't think the bug bounties will ever match the insane prices that black hats will sell these things for, but they can motivate the white and grey hats to spend more time looking for the bugs. The black hats have the perk that they can more or less turn the hunting into a full fledged job, find the right 2-3 exploits and you can make profits that legitimate programmers make in 5 years, but for every one of those guys, there's 10 people who work 9-5 and could probably use a bit of extra cash, $1000 or so isn't a bad incentive to spend a few extra hours each night looking around for something, it's also something that could look good on the resume for a starting programmer, and substantial money to say a teenager. Rather then spending 80K on one good black hat, you can spend 70k and keep thousands of white/grey hats from all walks of life. Heck there's some mistakes that I'm sure a bored teenage prodigy would catch that an experienced veteran programmer would miss just because they see things differently.