Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Bug Bounties Are Like Rat Farming

Posted by timothy on from the first-we-hypothesize-a-problem dept.

Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."

1 of 140 comments (clear)

  1. What the hell by Anrego · · Score: 5, Insightful

    Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

    But it turns out that he knows more about security than one would think. Maybe even more than he might think.

    Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

    The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.