Ben Gracewood writes in NBR about bug bounties and in general about exposing security flaws.
At least he admits to being “aÂ wet pinko liberal socialist“, which probably explains why NBR and others didn’t castigate Scoop for their security breach.
In some cases, companies provide a â€śbug bountyâ€ť for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for â€śblack hatâ€ť hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
In my opinion, itâ€™s totally kosher to ask a private company for a bug bounty. Itâ€™s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.
But a government department? Iâ€™m not sure about this one. On the one hand I think itâ€™s our social responsibility to help these guys out as much as we can. Maybe Iâ€™m a wet pinko liberal socialist, but weâ€™re all in this s*itfight called the internet together, and I think itâ€™s a bit much to ask for a bug bounty on an issue that affects the most vulnerableÂ in our society.
But then IÂ read about $50,000 for a two-week Delloite reviewÂ and think that maybe a $2000 reward per bug would go a long way to making that review irrelevant.