NEWS FROM THE LAB - Monday, July 19, 2010

More Money for Bugs? Posted by Alia @ 08:19 GMT

So Mozilla recently upped their bug bounty money from $500 to $3000 (USD).

Here's a few thoughts on the topic:

The whole concept of paying for outsiders to report bugs and vulnerabilities was controversial even before 2004, when Mozilla's program first started (check out No More Free Bugs, Bug Bounty Program Answers Critics and Bug Finders: Should They Be Paid? for more background) and six years on, the arguments for and against don't seem to have changed too much.

In the meantime though, other things have changed, which may have an impact on the whole venture.

For one thing, the (online) world has gotten a lot bigger and flatter. In the last few years, there's been an explosion in the number of computer users from countries outside of the US and Western Europe.

More users, as a general rule, equals more eyeballs to find flaws; and while technical prowess may generally be lower in less developed countries, the sheer numbers involved may be able to negate that disadvantage. So perhaps in the next few years, we may see more "amateur" researchers becoming involved in paid bug-hunting work.

Also, the assumption that users from less developed countries are less tech-savvy may no longer be entirely correct, or may be defunct very soon, if the various reported attacks in the last few years are anything to go by. Offering a way to channel that proficiency into more helpful activities might not be a bad thing.

And while $3000 isn't that big a prize in the US, or in the underground, it's still a substantial amount in other, less affluent countries — possibly enough to make the effort worthwhile for a weekend tech warrior looking for extra money. For them, a bug bounty like Mozilla's offers some advantages that might appeal, such as:

  •  Fast, easy pay-off
  •  Unlimited by geography
  •  Legitimacy

Debate over the usefulness of bug bounty programs isn't likely to end soon, with most security experts more or less watching and waiting while Mozilla tests the waters.

Still, with the rapid large-scale changes taking place in the computing world, it's certainly conceivable that these programs could evolve in the next few years and take on a form that's viable for both the majority of software vendors and for the volunteer researcher as well.