Debate: Bug bounty programs

Share this article:

Debate: Bug bounty programs - offering monetary rewards to researchers - help make companies more secure. 


Chris Evans software engineer, Google

There's no doubt that well-run bug bounty programs make companies more secure. It's easiest to assess their effectiveness if you've launched one. At Google, I've introduced the Chromium, Google Web and Pwnium bounty initiatives. A rewards program is no replacement for secure development practices – it's a cherry on top. But even with a solid baseline, you'll find that motivating and engaging the wider security community accesses scale and creativity that bests any in-house security team. You'll learn about and fix bugs you otherwise would never have found. Qualitatively, over time, your product will improve, rate of vulnerability discovery will trend down, and program participants will likely tell you it's getting very hard to find bugs. You'll be able to see patterns in incoming issues and launch broader initiatives to tackle any underlying hot spots. The relationships you build may even lead to world-class hires. Other companies, from Facebook to PayPal, have publicly documented similarly positive results.


Ward Spangenberg, director of security,

Bounty programs do not minimize a company's risk. A company can reduce risk with its software long before the implementation of a bug bounty program by investing in software development lifecycle programs, code analysis tools and more robust procedures around securing products before release. Building mature secure software packages from the beginning reduces risk. A bounty program requires established processes for dealing with the influx of new exploit data – without these processes, risk remains the same. Bounty programs do not make a company more secure. A bug bounty program is an incentive to follow a company's existing responsible-disclosure process. Responsible hackers will share findings in accordance with a company's published disclosure policy. Malicious hackers continue to target a company whether a company-sponsored bounty program exists. There is the positive potential for more responsible hackers performing analysis on the code base. However, paying for an exploit existed long before the company offered cash for the disclosure.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.