Ben Gracewood writes in NBR about bug bounties and in general about exposing security flaws.
At least he admits to being “aĀ wet pinko liberal socialist“, which probably explains why NBR and others didn’t castigate Scoop for their security breach.
In some cases, companies provide a ābug bountyā for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for āblack hatā hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
In my opinion, itās totally kosher to ask a private company for a bug bounty. Itās in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.
But a government department? Iām not sure about this one. On the one hand I think itās our social responsibility to help these guys out as much as we can. Maybe Iām a wet pinko liberal socialist, but weāre all in this s*itfight called the internet together, and I think itās a bit much to ask for a bug bounty on an issue that affects the most vulnerableĀ in our society.
But then IĀ read about $50,000 for a two-week Delloite reviewĀ and think that maybe a $2000 reward per bug would go a long way to making that review irrelevant.