Debate: Bug bounty programs – offering monetary rewards to researchers – help make companies more secure.
Chris Evans software engineer, Google
There’s no doubt that well-run bug bounty programs make companies more secure. It’s easiest to assess their effectiveness if you’ve launched one. At Google, I’ve introduced the Chromium, Google Web and Pwnium bounty initiatives. A rewards program is no replacement for secure development practices – it’s a cherry on top. But even with a solid baseline, you’ll find that motivating and engaging the wider security community accesses scale and creativity that bests any in-house security team. You’ll learn about and fix bugs you otherwise would never have found. Qualitatively, over time, your product will improve, rate of vulnerability discovery will trend down, and program participants will likely tell you it’s getting very hard to find bugs. You’ll be able to see patterns in incoming issues and launch broader initiatives to tackle any underlying hot spots. The relationships you build may even lead to world-class hires. Other companies, from Facebook to PayPal, have publicly documented similarly positive results.
Ward Spangenberg, director of security, Pearl.com
Bounty programs do not minimize a company’s risk. A company can reduce risk with its software long before the implementation of a bug bounty program by investing in software development lifecycle programs, code analysis tools and more robust procedures around securing products before release. Building mature secure software packages from the beginning reduces risk. A bounty program requires established processes for dealing with the influx of new exploit data – without these processes, risk remains the same. Bounty programs do not make a company more secure. A bug bounty program is an incentive to follow a company’s existing responsible-disclosure process. Responsible hackers will share findings in accordance with a company’s published disclosure policy. Malicious hackers continue to target a company whether a company-sponsored bounty program exists. There is the positive potential for more responsible hackers performing analysis on the code base. However, paying for an exploit existed long before the company offered cash for the disclosure.