Ben Gracewood on bug bounties

Ben Gracewood writes in NBR about bug bounties and in general about exposing security flaws.

At least he admits to being “a wet pinko liberal socialist“, which probably explains why NBR and others didn’t castigate Scoop for their security breach.

In some cases, companies provide a “bug bounty” for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for “black hat” hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.

In my opinion, it’s totally kosher to ask a private company for a bug bounty. It’s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.

But a government department? I’m not sure about this one. On the one hand I think it’s our social responsibility to help these guys out as much as we can. Maybe I’m a wet pinko liberal socialist, but we’re all in this s*itfight called the internet together, and I think it’s a bit much to ask for a bug bounty on an issue that affects the most vulnerable  in our society.

But then I read about $50,000 for a two-week Delloite review and think that maybe a $2000 reward per bug would go a long way to making that review irrelevant.

Tagged:
  • Vlad

    The pinko makes a good point, it happens occassionally so I’ll put a mark on the calendar for the first one of 2012.

  • Tristanb

    “Maybe I’m a wet pinko liberal socialist, but we’re all in this s*itfight called the internet together”

    He’s going to hate this, but he’s doing socialism wrong. Socialism needs continued attacks against the ruling powers. You have to ignore collateral damage. Remember, the end justifies the means.

    He sounds more like a “secular humanist neo-libertarian” than “wet pinko liberal socialist”. I agree with his thoughts regarding this.

    That greedy areshole Ira sees a whole lot of vulnerable families with their private details exposed for all to see, what’s his first thought? “What’s in it for me?”

    He could have helped people, but he chose to try an extort money from taxpayers. He belongs in jail.

  • Mediaan

    Even if the software flaw is reported, who is going to take it up and treat it seriously? It will be passed to the same less-than-competent people who let it be there in the first place.

    The public service seems to be short of competent people.

  • P1LL

    I feel that if someone discovers a crack in security they should be paid for it .
    The security companies that are paid to keep out unwanted intruders are paid , so why not pay someone who has discovered a weak back door link that the so called “paid” experts have overlooked ?

    • Bunswalla

      Good idea in theory, however in this case someone was paid to find the weakness in the security. They found it, reported it, got paid, and the fuckwits then did nothing about it for a year and a half.

    • Tristanb

      I go to the mechanic to get my car checked and fixed.

      If you point out a loose nut on one of my wheels, then you may have saved my life, you may have prevented severe mechanical damage. I owe you a thank you, but I don’t not owe you a mechanic’s fee.

      It depends if you’re an ethical person or not.

      Ira is not.

  • cows4me

    No there shouldn’t be a bug bounty. What’s the difference with an accountant finding a loop hole in the tax system . I say the people should be able to put all their energys into beating the system. Do we not have a moral obligation to keep as much money in our pockets as we can lawfully get away with? Offering a bountry to find loop holes into the system is just not cricket.

  • 2ndAmendment

    He’s a communist excusing and supporting terrorism – plain and simple:

    In some cases, companies provide a “bug bounty” for thieves that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for thieves and burglars to move from step one to step two above. Thieves and Burglars can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
    In my opinion, it’s totally kosher to extort companies for the return of their own property. It’s in their interest to close the hole, and most responsible companies should have a public thief and burglar reward policy, because even the best operational security is not going to keep up with every single exploit.

83%