Bug Bounties Are Not Security
Paying people rewards for finding security flaws is not the same as hiring your own analysts and testers. It's a reasonable addition to a software security program, but no substitute.
I've said this before, but Moshe Yudkowsky said it better:
Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster?
Red Herring offers an article about the bounties that some software companies offer for bugs. That is, if you're an independent researcher and you find a bug in their software, some companies will offer you a cash bonus when you report the bug.
As the article notes, "in a free market everything has value," and therefore information that a bug exists should logically result in some sort of market. However, I think it's misleading to call this practice "outsourcing" of security, any more than calling the practice of tossing packages into the street a "delivery service." Paying someone to tell you about a bug may or may not be a good business practice, but that practice alone certainly does not constitute a complete security policy.
Posted on December 27, 2005 at 7:46 AM • 20 Comments