The Joys of Running a Bug Bounty Program

Trailrunner7 writes "When Barracuda Networks started its bug bounty program about three months ago, company officials weren't exactly sure what to expect. They didn't know whether there'd be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn't mean the program hasn't been a success. Peck said that Barracuda also had run into the same problem that Google and others have: hackers don't pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

Barracuda

[American+AC+in+Paris]

...does "your messaging client is such a kludge that I would frankly rather try use an actual elongated carnivorous fish to IM with my co-workers" count as a bug?

Puny bounties

[Animats]

There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS. They gave away about two cars a year, and it was worth it.

Re:Hackers and directions

Wait, this was covered in Dilbert years ago.
The pointy-haired boss announced there would be bonuses based on bugs found.

Wally shouted "woo hoo, I'm writing myself a minivan today"

Re:Pay up if they fix the "out of bounds" issues

[TubeSteak]

Water heaters aside, I think you'd be wise not to piss of people who have shown they can find holes in your product &/or corporate website, regardless of their ability to follow directions.