Content

Debate: Bug bounty programs

,

Debate: Bug bounty programs - offering monetary rewards to researchers - help make companies more secure. 

FOR

Chris Evans software engineer, Google

There's no doubt that well-run bug bounty programs make companies more secure. It's easiest to assess their effectiveness if you've launched one. At Google, I've introduced the Chromium, Google Web and Pwnium bounty initiatives. A rewards program is no replacement for secure development practices – it's a cherry on top. But even with a solid baseline, you'll find that motivating and engaging the wider security community accesses scale and creativity that bests any in-house security team. You'll learn about and fix bugs you otherwise would never have found. Qualitatively, over time, your product will improve, rate of vulnerability discovery will trend down, and program participants will likely tell you it's getting very hard to find bugs. You'll be able to see patterns in incoming issues and launch broader initiatives to tackle any underlying hot spots. The relationships you build may even lead to world-class hires. Other companies, from Facebook to PayPal, have publicly documented similarly positive results.


AGAINST

Ward Spangenberg, director of security, Pearl.com

Bounty programs do not minimize a company's risk. A company can reduce risk with its software long before the implementation of a bug bounty program by investing in software development lifecycle programs, code analysis tools and more robust procedures around securing products before release. Building mature secure software packages from the beginning reduces risk. A bounty program requires established processes for dealing with the influx of new exploit data – without these processes, risk remains the same. Bounty programs do not make a company more secure. A bug bounty program is an incentive to follow a company's existing responsible-disclosure process. Responsible hackers will share findings in accordance with a company's published disclosure policy. Malicious hackers continue to target a company whether a company-sponsored bounty program exists. There is the positive potential for more responsible hackers performing analysis on the code base. However, paying for an exploit existed long before the company offered cash for the disclosure.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.