Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Joys of Running a Bug Bounty Program

Posted by timothy on from the do-you-guys-buy-moths-as-well-as-caterpillars? dept.

Trailrunner7 writes "When Barracuda Networks started its bug bounty program about three months ago, company officials weren't exactly sure what to expect. They didn't know whether there'd be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn't mean the program hasn't been a success. Peck said that Barracuda also had run into the same problem that Google and others have: hackers don't pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

6 of 52 comments (clear)

  1. Re:Pay up if they fix the "out of bounds" issues by Wrath0fb0b · · Score: 4, Insightful

    If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

    If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? There was an explicit deal regarding which flaws qualify for bounties and which do not. If someone submits one contrary to an honest reading of those terms, they are owed nothing.

  2. Barracuda by American+AC+in+Paris · · Score: 4, Funny

    ...does "your messaging client is such a kludge that I would frankly rather try use an actual elongated carnivorous fish to IM with my co-workers" count as a bug?

    --

    Obliteracy: Words with explosions

  3. Puny bounties by Animats · · Score: 3, Funny

    There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS. They gave away about two cars a year, and it was worth it.

  4. Not Just Hackers by Bieeanda · · Score: 4, Insightful

    I hate to break it this way, but most people don't have the QA skills of a goldfish. Most of them, even given guidelines, walkthroughs, or even formal instruction on how to write a bug report, would rather just drop a single, unhelpful line and get back to waiting for a cheque.

  5. Re:Pay up if they fix the "out of bounds" issues by SharpFang · · Score: 3

    Actually, they are owed gratitude and what little courtesy demands. You have no contractual obligation to reward them, but in all fairness, if they discovered an error you didn't know about, where you didn't expect it, they deserve some kind of gratitude.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  6. Re:Pay up if they fix the "out of bounds" issues by TubeSteak · · Score: 3, Funny

    Water heaters aside, I think you'd be wise not to piss of people who have shown they can find holes in your product &/or corporate website, regardless of their ability to follow directions.

    --
    [Fuck Beta]
    o0t!