Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For a Government Bug Bounty Program

Posted by Soulskill on from the 40-cents-for-a-cockroach,-75-cents-for-a-bedbug dept.

Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."

6 of 53 comments (clear)

  1. Bad idea by Raul654 · · Score: 2

    This is essentially a government subsidy to software companies that produce crappy code.

    Look at Walmart. it pays its employees so little money that they have to use government assistance like foodstamps and medicare. Walmart shareholders reap the benefit, and the public is left taking care of their employees.

    Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur (and for smaller companies, require them to carry insurance up to a certain level of liability).

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
    1. Re:Bad idea by Minwee · · Score: 4, Insightful

      This is Walmart. Their employees are eligible for both.

  2. reward bail money ? by WillgasM · · Score: 3, Funny

    Is the reward money enough to get me out of federal prison when I'm arrested for unauthorized access?

  3. Re:Wrong incentive by ShanghaiBill · · Score: 2

    How about holding people responsible for writing bad code and fine them, or allow lawsuits.

    That would immediately end the free software movement. No more Linux. No more gcc. No more Firefox ...

    Commercial software would become far more expensive and have far fewer features.

    There would be a black market in cheap "as is" software written by anonymous authors and hosted offshore.

  4. Why not just give our tax dollars away? by h4rr4r · · Score: 2

    Instead of this why not just give our tax dollars away to big vendors?

    A simple tax giveaway would be cheaper to administer and have the same end result.

    Why in the world is this even an option?

  5. Re:Public Debt - Privativing Profits by kasperd · · Score: 3, Insightful

    So now we are going to support companies by buying their vulnerabilities for them?

    It is worse than that. It is essentially rewarding companies for not taking security seriously.

    There is software backed by companies which do offer a bug bounty, and there is software backed by companies which offer no bug bounty. Having a bug bounty for more software is desirable. But having government pay it for those companies, who do not pay it themselves, is not the proper solution. A much better solution would be that whenever the government buys software, it will primarily buy from companies, which do offer a bug bounty.

    This will mean the software being bought is more likely to be secure. Additionally it will put a force on the market, driving it in the right direction.

    The only situation where the government should be paying any bug bounties, is when the bugs are in software or services offered by the government. For example it could apply to security problems found in government websites. But if those products are bought from private companies in the first place, it should be made part of the contract, that the vendor will pay the bug bounty and fix the bug.

    --

    Do you care about the security of your wireless mouse?