Bug bounties: Outbidding the black hats

Google, Mozilla, and others offer cold cash to find software flaws before the bad guys do. Should your company do the same?

In "Star Wars: The Empire Strikes Back," the villainous Darth Vader employed alien bounty hunters to track down enemies of the evil Galactic Empire. Not everyone in Vader's camp agreed with the move. As the camera tracked across the motley group, one Imperial officer was heard to mutter, "We don't need those scum."

Opinion is similarly polarized in the software industry over the practice of offering "bug bounties": cash payouts for developers who discover previously undocumented software flaws. Some experts say it's a good way to encourage enhanced scrutiny and independent review of an application's code base. Others say it's little more than a distraction, one that can lull vendors into a false sense of complacency.

[ Keep current on the key software development news and insights with infoworld's Developer World newsletter. | Stay up to date on the latest security developments with our Security Central newsletter. ]

Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.

Big business in bugs
Two of the highest-profile proponents of the bug bounty approach are Google and the Mozilla Foundation, which have engaged in a kind of informal bidding war for bugs in their respective Web browsers and services. Mozilla pays up to $3,000 for critical and high-severity bugs, while Google offers up to $3,133.70 (a play on a hacker spelling of the word "elite").

To hear Google tell it, its program has been a resouniding success. In March, the search giant patched 19 bugs in its Chrome Web browser that had been discovered by independent security researchers. In turn, it paid out a total of $14,000 in bug bounties -- equivalent to about one-sixth of a typical Google developer's salary, according to PayScale.com. To offer the same value, a single full-time security analyst would have to spot about 10 new bugs per month.

But not every company agrees with the bug bounty approach. Microsoft, in particular, has long been a staunch opponent of the idea. It's easy to see why. Both Chrome and Firefox are open source projects, while Microsoft offers only limited access to its source code through its Shared Source program. To create a bug bounty program with the breadth of Google's or Mozilla's, Microsoft would have to open its proprietary code to the rank and file. Besides being ideologically opposed to that idea, Microsoft engineers simply don't believe it works and that organized code review within the organization is a better way to isolate defects.

1 2 Page 1