Bug Bounties from Software Vendors
Have you heard of bug bounties? While it might sound like it has nothing to do with technology, bug bounties from software vendors are becoming more and more popular. A bug bounty is a different approach to software quality assurance. Realizing that even the best QA teams cannot exhaustively evaluate applications for every vulnerability and issue, some companies are turning to their user base and even white hat hackers for help. In a bug bounty system, a software developer offers a reward to end-users or contractors who can find problems in their products. Bug bounties can be public or contracted.
In a public bug bounty program, any end user is eligible to find a bug and collect the prize. This is opposed to a contracted bug bounty scenario, wherein a developer hires a professional vulnerability assessment company to vet their product. There are positives and drawbacks to any bug bounty scenario.
- Interest: A well-publicized bug bounty program generates interest in the product. Enterprising end-users, amateur developers and hacking hobbyists my purchase a product they previously had plans not to buy in order to seek the reward.
- Improvement: Pushing for outside application assessment can drive product improvement for more than the standard QA scenario.
- Goodwill: A bug bounty program can signify that a company is open to feedback from its customers. This sort of publicity generates goodwill and can increase the public’s willingness to buy future products.
- Hacker risk: The hacker community is vast and interconnected. Draw the attention of the white hats and the black hats are sure to follow. While the white hat hackers may pursue the bounty, the less well-intentioned ones will simply find the security flaws and remember them for future exploits.
- Short window: Bug bounty programs are typically short in duration. Without enough time to fully vet the software, bounty seekers may only find the “low hanging fruit,” leaving deeper, more damaging risks still open.
- More bugs: If bug bounties become a regular part of a software company’s modus operandi, it could lead to products being released with more bugs. Internal QA may be tempted to relax their standards, knowing someone else will pick up the slack later during the bounty program.
Have additional questions about bug bounties? Contact the Syndeo San Diego IT support experts and learn more about bug bounties and what you can do to protect your software, hardware and other vital business data and information.