Do bug bounties make the Internet more secure?


Some big names in software have been offering bounties to researchers who find security vulnerabilities in their programs, while other big software makers forego the tactic. Mozilla, PayPal and Google (NASDAQ: GOOG) have shelled out a lot of cash for bugs, while Microsoft, Apple (NASDAQ: AAPL) and Adobe prefer not to pay for such discoveries. Do the bug bounty programs make the Internet any more secure, asks Kim Zetter at Wired.

The anecdotal evidence, Zetter reports, indicates that bug bounties not only improve the security of individual software programs but also provide lessons to other vendors about the measures being taken to reduce vulnerabilities. What's more, before welcoming bounty hunters, vendors are likely to have a high level of security already.

Google has seen a "fairly sustained" reduction in the number of security reports it gets for Chromium, said Chris Evans, information security engineer at Google who leads its latest bug bounty contest. The company recently paid two bounty hunters $5,000 after they discovered a bug in Microsoft (NASDAQ: MSFT) Windows.

With bounty programs, researchers who discover bugs are encouraged to let vendors know before anyone else, so that a patch can be released before the security hole becomes public, and vendors are motivated to fix the holes quickly.

For more:
- see Kim Zetter's article at Wired

Related Articles:
Researchers expose security holes in SCADA systems
Businesses hold third-party software to lower standards
Report: Majority of software programs lack acceptable security