Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Finds Bug Bounty Programs Extremely Cost-Effective

Posted by Unknown on from the open-sores-hates-jerbs dept.

itwbennett writes "U.C. Berkeley researchers have determined that crowdsourcing bug-finding is a far better investment than hiring employees to do the job. Here's the math: Over the last three years, Google has paid $580,000 and Mozilla has paid $570,000 for bugs found in their Chrome and Firefox browsers — and hundreds of vulnerabilities have been fixed. Compare that to the average annual cost of a single North American developer (about $100,000, plus 50% overhead), 'we see that the cost of either of these VRPs (vulnerability reward programs) is comparable to the cost of just one member of the browser security team,' the researchers wrote (PDF). And the crowdsourcing also uncovered more bugs than a single full-time developer could find."

21 of 95 comments (clear)

  1. Incentives by Todd+Knarr · · Score: 5, Informative

    The major problem is that on-staff developers are usually discouraged from going on bug-hunts. Management would rather have them developing new features, so they won't allocate time towards finding bugs. When what the company policy towards finding bugs is conflicts with how your manager assigns you tasks, guess which one wins. Worse, most of the time an employee who ignores his to-do list to go find problems ends up penalized either explicitly (by bad reviews) or implicitly (negative impact from people being annoyed that he made work for them). Outsiders in these bounty programs don't have to worry about a manager assigning them 100% to new features and 0% to finding vulnerabilities and they don't have to worry about the impact of bad reviews or negative comments by managers about the extra work they created for everybody.

    1. Re:Incentives by VorpalRodent · · Score: 4, Informative

      This.

      And not just bug hunts. I have a laundry list of things that need to be refactored, but every time we think we might have a chance to do so, project management decides something else is more important. We have people complaining about things being slow, but when told that we need to spend time to make it faster, we instead get directed at new features or, worse, tweaks for the sake of a single non-representative customer that happens to have the ear of the project owner.

      --
      Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
    2. Re:Incentives by CastrTroy · · Score: 4, Insightful

      Exactly. I think if you found the right kind of employee and told them to hunt for bugs all day long and get paid for it, They'd probably uncover quite a few bugs. Give them complete access to the code, source control, and test suites, and they could probably find bugs much more efficiently than getting somebody to find vulnerabilities from the outside.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    3. Re:Incentives by Alumoi · · Score: 2

      Hmm, just like every major software company is doing: sell first version of software, let the paying crowd find the bugs, sell second version of software with (some) bug fixed. Rinse, repeat. Profit!

    4. Re:Incentives by SethJohnson · · Score: 2

      It's amazing our customers still find the product useful enough to pay for it. It's like a big building made of dried shit. It sort of works in some conditions. You know what happens if it rains a bit, but if you remove all the shitty bits there's not much building left... And to rebuild the building from scratch would take years.

      Wow. Aren't you worried that by posting this online that you might get fired from your position on the Microsoft SQL Server dev team?

      --
      $5 / month hosted VPS on linux = awesome!
  2. What's an interview have to do with it? by feddas · · Score: 2

    Mostly shows how being good at finding bugs is a different skill than being good at job interviews.

  3. math problem? by rst123 · · Score: 2

    isn't $570,000 / $150,000 about 3.8 people? (articles numbers.) Still probably a good deal, but not quite as good.

    1. Re:math problem? by plopez · · Score: 2

      No. The developer just reports the bugs to the development team. Perhaps we should give that developer a special title like "Quality Assurance Engineer".

      --
      putting the 'B' in LGBTQ+
  4. dilbert by Joe_Dragon · · Score: 4, Funny

    http://dilbert.com/strips/comic/1995-11-13/

    1. Re:dilbert by CastrTroy · · Score: 4, Interesting

      I wonder if anything like this is going on internally. Let's say a developer at Google knows about a problem. He could either fix it, and get his regular pay, or he could tell his friend about the bug, and split the bounty with his friend who "discovered" the bug. Either way the bug gets fixed. And it probably get's fixed faster this way, since it's now an externally known vulnerability.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. VRPs are the new sweatshops by OleMoudi · · Score: 3, Interesting

    This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.

    Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.

    On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.

    --
    ---------
    Thinking never hurt anybody --MacGyver
  6. Cost of fiunding bugs != cost of fixing them. by 140Mandak262Jamuna · · Score: 5, Insightful

    Browsers have very large installed base. There are enough bug spotters even if a very small fraction of them actually hunt and report bugs. Even then, the bounty is for finding the bugs, not fixing the bugs that includes the cost of coming up with a fix, verifying it fixes the problem, testing to make sure it does not create new problems and rolling out the fix.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  7. Why employees don't find these bugs by ulatekh · · Score: 2, Interesting

    Because the sort of programmer that's good at finding/fixing these bugs...is not the sort of programmer that the interview process determines would be a "good fit" for the organization.

    --
    "Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
  8. Ineffective, unfortunately by gweihir · · Score: 3, Interesting

    This is effective for the low-hanging fruit, i.e. the easy (relatively) to find security-related bugs. For things that require advanced techniques or expensive tools (like Fortify), it fails. Unfortunately, the harder to find bugs are still well within reach of spy agencies of all kind, including a number that is allowed to do industrial espionage (like the US or France).

    So while this looks good on the surface, it is really just making the problem worse. The only exception is software that has very low security needs.

    For reliability, it is about as ineffective, as only easy to identify bugs will be tracked down.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. No shit Sherlock by Fuzzums · · Score: 2

    What I'm really shocked about is that you need a university to figure this out. Or rather do research on this. Companies figured this out quite some time ago and anyone with a functioning brain can see why.
    What I'm more interested in is that king of people spend their time in participating in programs like this. The chances that you find a bug are not that big. The financial reward, given the amount of time you will spend on finding a bug is probably also relatively small.
    From a company's point of view on the other hand, it's great. Many people working for you. For free. A job well done :)

    --
    Privacy is terrorism.
  10. Re:That's the only way for it to be worthwhile by SJHillman · · Score: 2

    For a lot of these people, it might be a hobby. If it weren't for bug hunting for a bounty, they might be working on open source software instead with no payout at all. For those people, the payout is infinitely greater even if it amounts to $2.50/hr. Most people are just happy to have a hobby that breaks even, nevermind nets a profit.

  11. Re:That's the only way for it to be worthwhile by TheRaven64 · · Score: 2

    Many of the people working on these things will also have full time jobs as security researchers. The extra financial incentive for a bug just means that they'll be applying their bug-finding technique to your codebase instead of to someone else's.

    --
    I am TheRaven on Soylent News
  12. Not a replacement by gmuslera · · Score: 2

    Is good to reward people that find security holes, at the very least because is a safer bet than selling them in the black market, or keeping them for yourself or the government to exploit them. But it should not be a replacement for actually having dedicated people activelly working for your security that will report to you if something weird is there, some could actually go to the black market (or be found by government teams and never disclosed that it is there because is an useful cyberweapon) and you must be proactive from your side

  13. Typical business-centric bullshit reporting by musth · · Score: 2

    It's not surprising at all that piecemeal work, with no provision for healthcare, vacation etc. - much less reliable, ongoing income - is more profitable for business.

    Why should technology workers be intrigued or inspired by this? Why is this information presented to technology workers as another avenue to praise Google's or Mozilla's cleverness? And why do technology workers so consistently dig their own graves by latching onto this kind of ideology and failing to fight for labor rights?

  14. Well, yes, it'll work for browsers... by gestalt_n_pepper · · Score: 2

    where you have millions of folks looking at your free software for long periods of time. If you're a commercial software vendor, however, with a $10,000 non web-based package and at most a few thousand users (There are still a *lot* of these), then this approach is very unlikely to succeed. Commercial software users are rarely interested enough to report a bug that doesn't actively interfere with their daily work.

    --
    Please do not read this sig. Thank you.
  15. Re:Average? Where? by cbhacking · · Score: 2

    High-tech regions tend to be high cost of living, too. In Silicon Valley, 100K USD may well be better than an entry-level salary for a dev with a 4-year degree. The cost of living is so high that this is less impressive than it sounds, though. It's a little less bad up around Seattle ("Silicon Forest") where starting salaries are more commonly in the 70-90k range, but people break six digits very quickly. I haven't job-hunted anywhere else, but at least on the west coast, a 100k estimated average might actually be low. People with more than 5 years in the industry can probably pull at least 50% more than that if they're any good. Also, that's just for a BS; get a MS or a PhD and you can definitely start at or above 100k (and yes, in this field there are high-paying jobs in industry for folks with doctorates).

    --
    There's no place I could be, since I've found Serenity...