Bug Bounties Are Not Security
Paying people rewards for finding security flaws is not the same as hiring your own analysts and testers. It’s a reasonable addition to a software security program, but no substitute.
I’ve said this before, but Moshe Yudkowsky said it better:
Here’s an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster?
Red Herring offers an article about the bounties that some software companies offer for bugs. That is, if you’re an independent researcher and you find a bug in their software, some companies will offer you a cash bonus when you report the bug.
As the article notes, “in a free market everything has value,” and therefore information that a bug exists should logically result in some sort of market. However, I think it’s misleading to call this practice “outsourcing” of security, any more than calling the practice of tossing packages into the street a “delivery service.” Paying someone to tell you about a bug may or may not be a good business practice, but that practice alone certainly does not constitute a complete security policy.
aikimark • December 27, 2005 8:36 AM
The delivery analogy reminds me of the bozo sort, where random items in the list are swapped until the list is sorted (if ever).
This blog might start an interesting discussion of Test-Driven Development (TDD), automated testing, white-room development, QA department relationship with the development staff (should be distant, code coverage, and other related topics. This should prove interesting.
I would think that part of the QA functions might be suitable for off-shoring in an attempt to throw as many fingers at the application as possible. But throwing QA solely to the market does seem like a recipe for disaster.