Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Bug Bounties the Right Solution For Improving Security?

Posted by timothy on from the 10-bucks-says-they-might-be dept.

saccade.com writes Coding Horror's Jeff Atwood is questioning if the current practice of paying researchers bounties for the software vulnerabilities they find is really improving over-all security. He notes how the Heartbleed bug serves as a counter example to "Linus's Law" that "Given enough eyeballs, all bugs are shallow." "...If you want to find bugs in your code, in your website, in your app, you do it the old fashioned way: by paying for them. You buy the eyeballs. While I applaud any effort to make things more secure, and I completely agree that security is a battle we should be fighting on multiple fronts, both commercial and non-commercial, I am uneasy about some aspects of paying for bugs becoming the new normal. What are we incentivizing, exactly?

3 of 58 comments (clear)

  1. You buy eyeballs and loyalty. by vidarlo · · Score: 5, Insightful

    NSA is buying security holes to use against us. This is part of what Snowden revealed with the leaks.

    Offering a bounty, even though it is not as much as the security problem could fetch on the grey market, creates a certain loyalty towards the vendor, and makes it easier to go to them, and ensure the hole gets patched. It also attracts more eyeballs to your software, as finding a problem means money. Google has gone even further - by offering grants for research into specific products, where you get money for checking security of the software, not just finding security prolems.

    So I believe it is a good thing; it probably means more holes will be reported directly to the vendor, and not sold for exploit. It probably attracts eyeballs as well...

    --
    Assembling etherkillers for fun an profit
  2. Re:Enough eyeballs and heartbleed ... by Rosco+P.+Coltrane · · Score: 4, Insightful

    I think the only thing the OpenSSL bug shows is how flimsy the underlying framework of the internet is. Most of the shit we all use, trust and take for granted was coded in someone's basement over the weekend a long time ago. All it takes is one clever guys to take a good look at the code to exploit it, and it's probably fair to say he'll be the only one to review the code ever...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. start at the root, we must have securable hardware by anwyn · · Score: 3, Insightful
    Free software, yes. Bug bounties, maybe.

    But recent developments have made clear that securable hardware is sine qua non. All firmware must be in socketed memory, so that you can take it out and externally check it. You can't trust an untrusted system to check itself. All firmware must be protectable with a hardware readonly jumper or switch.

    I know that this is inconvenient and a revolution on how hardware is currently made. but if people started demanding it en mass, it would not cost very much. And I mean the firmware in disk drives and optical media players and especially routers.

    There may be other requirements.

    This is sine qua non. Without this we have nothing.