With Microsoft's recent announcement of its grand bug bounty program, the company joined a host of major Web companies -- including Google, Facebook, and Mozilla -- to offer cash rewards to security bug finders.
Bug bounty programs always result in more vulnerabilities being privately reported to the vendor, which then has time to research and repair them. The theory is that the more security holes are found and closed, the lower the risk of security compromise to customers.
But do bug bounty programs really reduce risk to customers? Probably not as much as you might think. There are a couple of reasons why.
Eureka, look what I've found!
First, bug bounty programs are no guarantee that discovered vulnerabilities, big or small, will be reported to the vendor. Big-time criminal groups or government cyber-attack teams are not about to report their bugs.
On the other hand, small-time, cash-driven criminals want the biggest payout possible. In this respect, Microsoft's grand prize of $100,000 -- far bigger than that offered by any other vendor -- is incentive enough for low- and midlevel criminals to deliver their discovered bugs directly to Microsoft. It's worth noting that all the vendors pay the largest awards to only a small percentage of bug finders, usually the ones reporting the riskiest and most easily exploitable bugs.
In the many reported vulnerability payment schemes I've seen during the last decade, $100,000 is often the price mentioned for top exploits. These fees are paid by a criminal element that will directly use the exploit or sell it to someone else -- or it's paid to the finder by a professional vulnerability collection company, which sells it to the vendor. Most low-level exploits are sold for a few hundred to a few thousand dollars.
Many privately found exploits are never reported to the software vendor all. Why? In many cases, the bug finder works for a larger organization as a salaried employee who has been hired to find many bugs. Those worth selling are sold; others lie fallow.
A different dynamic may persist when the hacker is independent. I know of many smart white-hat hackers who have been frustrated because they couldn't make a decent living reporting bugs directly to the vendor. I've even read about a few who, in desperation, sold the bug to criminal elements. Most usually just disclose the bug publicly, which benefits no one in the short term.
Nonetheless, bug bounty programs increase the number of people who report bugs -- and that's a good thing. The biggest problem with bug bounty programs is that you never know which security bugs will "go big." Very few security bugs, no matter how severe, end up exploiting millions and millions of customers.