Communications of the ACM
In Bounties They Trust, but Does Paying For Security Bugs Make a Safer Web?
Bug hunter Abdul-Aziz Hariri
Credit: Abdul-Aziz Hariri
Freelance security researchers who hunt for exploitable software bugs for cash rewards posted by vendors can sometimes make a decent wage, but some of the largest software vendors do not host bug bounty programs, which raises the question of whether such efforts have improved the security of the Web.
Google says bug bounty programs have positively impacted security, as indicated in the decreasing numbers of incoming bug reports. Bug bounty programs also enhance security through the encouragement of responsible bug disclosure, as researchers inform vendors first so they can craft and issue a patch to customers before the information is publicized.
"The mere fact that you have a bounty program shows you have a certain amount of [security] maturity, because it would be too expensive otherwise [to launch one]," says Veracode co-founder Chris Wysopal. "You could have your application reviewed by a third party for the price of just five bugs you might pay out [in a bounty program]."
Although Google's organization-wide policy is to patch critical or serious bugs within 60 days of receiving a report, Facebook chief security officer Joe Sullivan believes this timeframe needs to be accelerated.
From Wired News
View Full Article
Abstracts Copyright © 2012 Information Inc., Bethesda, Maryland, USA
No entries found