

Security Reward Programs: Year in Review, Year in Preview - sidcool
http://googleonlinesecurity.blogspot.com/2015/01/security-reward-programs-year-in-review.html

======
iiiggglll
Apple should do something like this. They are in fact the only major tech
company _not_ to have a bounty program[1]. That, combined with the fact that
they have just recorded the single largest quarterly profit for _any_
corporation _ever_ in history[2] makes it pretty embarrassing to see that it
would cost so little yet they still haven't done it.

[1] [http://www.pandasecurity.com/mediacenter/security/twitter-
bo...](http://www.pandasecurity.com/mediacenter/security/twitter-bounty-
program/)

[2]
[https://en.wikipedia.org/wiki/List_of_largest_corporate_prof...](https://en.wikipedia.org/wiki/List_of_largest_corporate_profits_and_losses#Largest_corporate_quarterly_earnings_of_all_time)

~~~
dsacco
First, while I generally advocate for bug bounty programs, don't be fooled by
the apparent cost.

Well known companies (especially those that pay out a bounty) typically
receive tens of thousands of formal security reports a year, all from people
hoping for a bounty and a place on the "Hall of Fame" list. It's very
lucrative and competitive for aspiring security researchers in developing
countries to learn information security this way.

Unfortunately, the most well known companies also average between 5% and 10%
report validity (at the highest), which means that they sink hundreds of
engineering hours into investigating spurious reports. In fact, there are
security engineers at Yahoo, Google and Facebook who, despite it not being the
entirety of their job description, almost exclusively fill their time by
investigating reports.

To quantify this, if you estimate that about 200 engineering hours are spent
on investigating reports each month by the security team ( _very_ conservative
estimate), about 7% of reports are valid, and the cost of a security
engineer's time is about $100,000, you quickly see that a bug bounty for the
largest companies burns through millions of dollars a year _more_ than the
actual bounties paid out. These numbers might actually increase if you take
into account the fully loaded cost of each security engineer, or their average
salaries are higher.

I think it would be great if more companies embraced bug bounties, but to be
very honest, the state of most programs' fiscal management is frankly a mess
right now.

Second, consider that Apple _does_ have a responsible disclosure program
(complete with "Hall of Fame" honorable mention), and that many other "major"
tech companies have excellent security without paying out bounties for
responsible disclosure. Microsoft had a responsible disclosure program for a
long time, and only recently introduced bounties (and the bounties are still
for a very limited scope compared to the size of Microsoft's properties).
Amazon also doesn't pay out bounties for responsible disclosure.

There is really no reason to not have a responsible disclosure program, but
there are coherent arguments against having a bug bounty program.

~~~
GauntletWizard
Even if you spend 10x in Manpower what you spend in bounties, it's still a
pittance compared to the cost and negative publicity of one incident per year.
And those engineers are not going to be completely useless, either; They're
going to be fixing bugs, finding rough spots, etc, while they investigate
those reports.

~~~
dsacco
This is a strong _perhaps._ It is obviously dangerous to try to estimate a
lower bound for negative publicity related to security, but it is also _less
obviously_ dangerous to refrain from estimating an upper bound (or at least
attempting to do so).

It is fiscally irresponsible to invest too little in security _or_ too much in
security. Software security is a nonalgorithmic problem, and the best you can
do is risk management.

Look at it this way: if you spent 300 engineering hours a month investigating
spurious reports and the only valid reports you ever received were for cross-
site request forgery attacks on non-sensitive profile actions, it does not
matter what the ivory tower ideal of the bug bounty was, you wasted resources.

"Given enough eyeballs, all bugs are shallow" is like the worst case scenario
for an algorithm. Sure, it works, but at what cost? What if you had an
internal team penetration testing everything and a private bug bounty program?
What if you exclusively outsource to NCC Group or Accuvant?

There is no hard absolute in this. It's generally good to have a bug bounty
program, but you really need to be aware of the numbers. For example, Yahoo
actually reduced the payments they were giving in bounties for the same
vulnerabilities at the same severity because they did not anticipate how many
would be found of that type.

------
dguido
Biggest change here is that it's becoming so hard to find bugs on Google-owned
domains that they're starting to pay speculative bounties (before you've found
anything).

I'd really like to see how many bounties they paid out for "security
improvements" bounties that they announced middle of 2014. Those were
proactive software development bounties to make code more amenable to static
analysis, new exploit mitigations, etc.

