Debate: Bug bounty programs

Share this article:

Debate: Bug bounty programs - offering monetary rewards to researchers - help make companies more secure. 


Chris Evans software engineer, Google

There's no doubt that well-run bug bounty programs make companies more secure. It's easiest to assess their effectiveness if you've launched one. At Google, I've introduced the Chromium, Google Web and Pwnium bounty initiatives. A rewards program is no replacement for secure development practices – it's a cherry on top. But even with a solid baseline, you'll find that motivating and engaging the wider security community accesses scale and creativity that bests any in-house security team. You'll learn about and fix bugs you otherwise would never have found. Qualitatively, over time, your product will improve, rate of vulnerability discovery will trend down, and program participants will likely tell you it's getting very hard to find bugs. You'll be able to see patterns in incoming issues and launch broader initiatives to tackle any underlying hot spots. The relationships you build may even lead to world-class hires. Other companies, from Facebook to PayPal, have publicly documented similarly positive results.


Ward Spangenberg, director of security,

Bounty programs do not minimize a company's risk. A company can reduce risk with its software long before the implementation of a bug bounty program by investing in software development lifecycle programs, code analysis tools and more robust procedures around securing products before release. Building mature secure software packages from the beginning reduces risk. A bounty program requires established processes for dealing with the influx of new exploit data – without these processes, risk remains the same. Bounty programs do not make a company more secure. A bug bounty program is an incentive to follow a company's existing responsible-disclosure process. Responsible hackers will share findings in accordance with a company's published disclosure policy. Malicious hackers continue to target a company whether a company-sponsored bounty program exists. There is the positive potential for more responsible hackers performing analysis on the code base. However, paying for an exploit existed long before the company offered cash for the disclosure.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in Opinions

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.

Securing the autonomous vehicle

Securing the autonomous vehicle

We are now in the fast lane towards a driverless future. Will we have to brake for hackers?