Bug bounties are all the rage these days. It seems a week doesn’t pass without yet another company offering thousands of dollars to any hacker who can uncover potential exploits in its systems. In theory, public bounties apply all the power of crowdsourcing to the complex and shifting problem of vulnerabilities—but are they really the most effective way of squashing bugs?
At least one tech executive doesn’t think so. “Why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find it really is ‘whack a code mole’) when I could spend that money on better prevention,” Mary Ann Davison, chief security officer at Oracle, wrote in a subsequently deleted blog posting, “like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”
(Subsequent backlash to that blog posting’s main points—including the assertion that Oracle knows how to deal with security holes better than its clients—led to its takedown, although you can still find it archived online.)
For years, other security experts and executives have argued that bug bounties are one of the better things to happen to tech security. Paying hackers to report bugs in exchange for cash is seen as a solid way of ensuring those vulnerabilities are never released into the open; get enough hackers picking away at your systems, and you can find a plethora of vulnerabilities pretty quickly.
“With the bug bounty program we got a hundred and twenty pairs of eyeballs on our system for a week instead of just one or two pairs for a week,” Peter Whitfield, an engineering director with e-commerce vendor Bigcommerce, told CIO magazine in 2013.
Bug bounties are also cost-effective, since the company pays out only on results. As demonstrated by Tesla and other firms, the company can also dictate which systems it wants tested out. While most companies will probably use in-house help to test their most sensitive systems—nobody is going to open a database with customer data to outside exploration—bug bounties continue to prove their use to a growing number of tech firms.