Ben Gracewood writes in NBR about bug bounties and in general about exposing security flaws.
At least he admits to being “a wet pinko liberal socialist“, which probably explains why NBR and others didn’t castigate Scoop for their security breach.
In some cases, companies provide a “bug bounty” for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for “black hat” hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
In my opinion, it’s totally kosher to ask a private company for a bug bounty. It’s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.
But a government department? I’m not sure about this one. On the one hand I think it’s our social responsibility to help these guys out as much as we can. Maybe I’m a wet pinko liberal socialist, but we’re all in this s*itfight called the internet together, and I think it’s a bit much to ask for a bug bounty on an issue that affects the most vulnerable in our society.
But then I read about $50,000 for a two-week Delloite review and think that maybe a $2000 reward per bug would go a long way to making that review irrelevant.