

Freakonomics Author, Stephen Dubner on Bug Bounties and Rat Farming - TheloniusPhunk
http://threatpost.com/en_us/blogs/how-bug-bounties-are-rat-farming-092011

======
wccrawford
The guy usually makes sense, but he doesn't here.

You can't breed bugs in programs. You can't earn more money by creating more
bugs in your browser. You simply don't have access.

~~~
holograham
He wasnt making that point. He was making the point that rat farming was bad
but software bug farming was good.

~~~
wccrawford
Why bring it up at all, then? It didn't serve to illuminate anything. He just
brings up a bad analogy, then ... Shoots down his own analogy? Why bother?

------
mercurial
That's a remarkably silly analogy. Researchers do not introduce
vulnerabilities themselves, they are not "farming bugs" to game the system.

~~~
waitwhat
Yup. I clicked through, expecting to read an article with some evidence
(however flimsy) that developers were intentionally introducing bugs in their
software so that their partner could report the bug and claim a bounty. What I
actually read was just weak.

The common term for this is the Cobra Effect
<http://en.wikipedia.org/wiki/Cobra_effect> but a quick google doesn't bring
up any leads on the veracity of his South Africa / rat-farming variant.

EDIT: more googling doesn't find any source for this other than Dubner
himself. Looks like he might have just made it up.

------
andybak
Either he's explained something really badly or someone has this exactly 180
degrees wrong.

