Bounties on Security Software Bugs

Google is the latest major player to establish a financial reward bounty for reporting software bugs in their products.  Opinions differ on paying outsiders for vulnerabilities in such a manner, but for the record, I fully support the idea!

I think these programs support security objectives on a number of fronts.  It brings to bear more resources to find the vulnerabilities, leverages positive aspects of greed to accelerate the process, and targets the motivations of potential attackers to undermine their destructive activities.

Bounty programs tap extended resources to identify bugs in a constructive and competitive manner.  Even though Google likely has a very proficient security design team, they still will miss vulnerabilities that external researchers may find.  A financial incentive can direct more volunteers to the effort.

Reward initiatives leverage the ‘greed’ of potentially competing attackers and researchers.  Greed can be good.  In this case it creates competition among researchers and against attackers.  Researchers will strive to be the first to report a bug.  It accelerates the process of finding and closing vulnerabilities before an attacker can take advantage.  In doing so, pressure is put against attackers who are looking to exploit a new bug.

Bounties directly target the motivations and objectives of attackers.  For threat agents who are motivated by financial gain but are not set on doing harm, this provides an opportunity to leverage their hacking skills without crossing moral boundaries or be at risk of criminal prosecution.  These programs will also appeal to those seeking personal fame.  Positive recognition and validation by the software vendor is something which builds reputation and looks very good on a resume.

Lastly, I suspect such enticements may also lead to conflicts within the internal dynamics of attacker groups.  Weak members, who may feel slighted or undercompensated, may choose to go behind their cohorts to directly benefit from newly discovered exploits by reporting it themselves.  There is no honor among thieves.  The potential of driving a wedge between members will give pause to organized groups of attackers and force them to limit who they involve and manage their own internal security.  In a small way it turns the tables against those very people who seek to undermine information security.  The irony is sweet.

Overall, I think a well managed bug bounty program, is a very good idea.  Only time will tell if the benefits can be measured and understood.  I fully applaud Google, Mozilla, and the likes for taking this approach and hope to see others follow!


Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.