July 23, 2013, 9:42 AM — Last month at the FIRST conference (the Forum of Incident Response and Security Teams) in Bangkok, Microsoft announced that it's joining the "bug bounty" crowd. Some might say, "Finally!" but I'm not convinced it's a positive move. No doubt, there are strong arguments both for and against bug bounty programs, but in the long run, I'm not a fan.
Bug bounty programs are used by quite a few software organizations to encourage their customers and the general public to report security vulnerabilities directly to the software organization. Most such programs encourage (or require) a responsible disclosure process, but in the end the vulnerability and its remediation are published to the world. So what's the big deal? Let's consider the pros and cons a bit.
In favor of bug bounties
Bug bounty programs are in essence an extension of security testing programs. They are an ad hoc form of outsourcing a company's security testing -- to a community of people who likely aren't under NDA and, as non-employees, have absolutely no fiduciary responsibility to the software company, I should add. From the company's standpoint, they are relatively cost-effective, since the vendor ends up paying only for actual vulnerabilities, not for time spent trying (and failing) to find the bugs.
In Microsoft's case, it will pay $100,000 for new operating system vulnerabilities and an additional $50,000 for successful mitigation information. (Microsoft also offers $11,000 for critical vulnerabilities found in Internet Explorer.) I suspect these amounts are far less money than Microsoft would pay its own employees for vulnerability exploration and mitigation development work. Any vulnerability explorer will no doubt agree that far more time is spent searching and failing than searching and succeeding. Bug bounty sponsors have found a way to make all that searching-and-failing time cost-free to the software companies.