Debate: Bug bounty programs

Share this article:

Debate: Bug bounty programs - offering monetary rewards to researchers - help make companies more secure. 


Chris Evans software engineer, Google

There's no doubt that well-run bug bounty programs make companies more secure. It's easiest to assess their effectiveness if you've launched one. At Google, I've introduced the Chromium, Google Web and Pwnium bounty initiatives. A rewards program is no replacement for secure development practices – it's a cherry on top. But even with a solid baseline, you'll find that motivating and engaging the wider security community accesses scale and creativity that bests any in-house security team. You'll learn about and fix bugs you otherwise would never have found. Qualitatively, over time, your product will improve, rate of vulnerability discovery will trend down, and program participants will likely tell you it's getting very hard to find bugs. You'll be able to see patterns in incoming issues and launch broader initiatives to tackle any underlying hot spots. The relationships you build may even lead to world-class hires. Other companies, from Facebook to PayPal, have publicly documented similarly positive results.


Ward Spangenberg, director of security,

Bounty programs do not minimize a company's risk. A company can reduce risk with its software long before the implementation of a bug bounty program by investing in software development lifecycle programs, code analysis tools and more robust procedures around securing products before release. Building mature secure software packages from the beginning reduces risk. A bounty program requires established processes for dealing with the influx of new exploit data – without these processes, risk remains the same. Bounty programs do not make a company more secure. A bug bounty program is an incentive to follow a company's existing responsible-disclosure process. Responsible hackers will share findings in accordance with a company's published disclosure policy. Malicious hackers continue to target a company whether a company-sponsored bounty program exists. There is the positive potential for more responsible hackers performing analysis on the code base. However, paying for an exploit existed long before the company offered cash for the disclosure.

Share this article:

Sign up to our newsletters

More in Opinions

A wake-up call for retailers

A wake-up call for retailers

Recent events should serve as wake-up calls for organizations in the retail and hospitality space to evaluate their third-party vendors.

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.