Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Bug Bounties Are Like Rat Farming

Posted by timothy on from the first-we-hypothesize-a-problem dept.

Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."

14 of 140 comments (clear)

  1. What the hell by Anrego · · Score: 5, Insightful

    Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

    But it turns out that he knows more about security than one would think. Maybe even more than he might think.

    Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

    The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

    1. Re:What the hell by The+Mighty+Buzzard · · Score: 2

      Yep, bloody stupid article by a bloody stupid journalist. No two ways about it.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    2. Re:What the hell by StikyPad · · Score: 2

      this whole article is mostly pointless (besides the interesting story about rat farming).

      Which itself seems to be a fabrication (unless this is the one story unavailable anywhere else on the internet). Johannesburg certainly has a rat problem, but there's no reports of the city paying bounties.

      http://www.news24.com/SouthAfrica/News/Johannesburg-waging-war-against-rats-20110801
      http://www.news24.com/SouthAfrica/News/Anti-rat-campaign-moves-to-Soweto-20110812

      --
      https://www.eff.org/https-everywhere
  2. Dumb article. by tomhudson · · Score: 3, Informative
    The conclusion is false:

    But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

    There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.

  3. ObDilbert by DCheesi · · Score: 3, Funny

    "I'm gonna write me a new minivan this afternoon!"

    http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix

  4. That's the worst analogy I've ever seen by nedlohs · · Score: 3, Insightful

    And that includes slashdot car and pizza analogies.

    Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).

    But he isn't. So the anology is complete and utter garbage.

  5. "Tax the rat farms." - Vetinari by Verteiron · · Score: 4, Informative

    Okay, so who came up with this idea first? South Africa? Or Terry Pratchett?

    --
    End of lesson. You may press the button.
  6. Bad analogy, bad article by athe!st · · Score: 2

    Unless people are putting bugs in open source software, then claiming the bounties for finding them, the analogy is just plain wrong.

  7. Reminds me of the article from thedailywtf by h5inz · · Score: 2

    http://thedailywtf.com/Articles/The-Defect-Black-Market.aspx

  8. Re:His point by slim · · Score: 3, Insightful

    It's correct to observe that an incentive scheme could, conceivably, tempt developers into deliberately inserting bugs.

    This would happen if you:

    • offer incentives for discovering bugs
    • offer incentives for closing off bugs
    • *don't* offer incentives for clean code

    What the article doesn't do is point at real-world instances of this happening, or explain why "that's a good thing".

  9. Re:Horrible, crappy, Half an article by gurps_npc · · Score: 2
    Correction. The author did not have a good idea. He was reporting on a speech given by someone else (author of Freakonomics.).

    The author basically gave a review of that speech, and left out all the important stuff, just because he was obsessed with the stupid rat farming example.

    I will have to go looking for the real speech, it might actually be interesting

    --
    excitingthingstodo.blogspot.com
  10. The actual analogy... by Gonzo+The+Gr8 · · Score: 2

    One of the commenters from TFA finally explained it, the problem is it's still a very bad analogy. Farmed rats !=manufactured bugs. The actual analogy is wild rats == significant bugs and farmed rats == insignificant bugs. He's not saying the "bug farmers" are manufacturing the bugs, just that they're finding new and creative ways to break the software that would in all likelihood never occur outside of a lab setting.

    So, like I said, a very bad analogy.

    1. Re:The actual analogy... by Riceballsan · · Score: 2

      That actually makes sense, in other words they are finding bugs, like say if a glitch happened where if you type the letters todadadklard into a search box, hold shift and backspace while having someone else click the submit button, the program exits. While technically a bug, it would be one that would never bother anyone or effected the end user, hypothetically though it could lead to an exploit that could do greater harm as a zero day vulnerability with the right method of hacker, hence why it is good to bring out even the stupid bugs into the open.

  11. Dilbert figured this out 15 years ago. by darkwing_bmf · · Score: 2

    http://dilbert.com/strips/comic/1995-11-13/