
Should gov.uk run a bug bounty? - edent
http://shkspr.mobi/blog/2014/02/should-gov.uk-run-a-bug-bounty/
======
mattmanser
I think it's impressive how far they've come the last few years. Props to the
gov.uk team if any of them lurk here, they even came and commented when the
initial designs were posted here:

[https://news.ycombinator.com/item?id=3811052](https://news.ycombinator.com/item?id=3811052)

Yes, the probably eventually should, but given how we've gone from terrible
websites by contractors to decent ones in a short time, I'm not going to start
jumping up and down about it yet.

Although if they could get round to redesigning the 'gateway' crap sooner
rather than later it'd be much appreciated. I have already been given 25
different gateway IDs.

~~~
csmithuk
I am and I'm not impressed.

Whilst the outcome is positive, the technology churn isn't. In fact, it's a
right mess. They've ended up with a huge stack that doesn't need to be there.
They're there to provide content efficiently, not redesign the infrastructure.
They're using tech because it's cool and fun rather than suitable for the task
and cost effective.

I know people are going to compare them to EDS and say "look how far we've
come" etc but they are still spending public money and are not beyond scrutiny
from us tax payers.

They're not a startup either. The ground they're standing on is different to
what they think they're standing on.

Edit: downvoters, please at least have the honour to explain yourselves.

~~~
ronaldx
Having a central body which sets government digital policy on how to provide
information across departments is great.

That they're doing a fantastic job of providing content to users efficiently,
using appropriate technology and without favouring commercial solutions, is
incredible.

Compare the clusterfuck that is
[http://www.cyberstreetwise.com](http://www.cyberstreetwise.com). Contracted-
out websites cannot match the quality and cost effectiveness.

I downvoted you because it's really very difficult to understand what you are
actually complaining about: you are trolling.

~~~
csmithuk
I'm not trolling. I've watched them build their own stack, throw it away,
build it again, throw it away. That's waste.

~~~
leoedin
How close are you to these guys? When you say "I've watched them build their
own stack", are you referring to having read some blog posts, or do you know
them personally?

The money that the fairly small team are spending is a drop in the ocean
compared to many government funded projects. If you want to get angry about
misspent public funds, I can think of countless other areas that are orders of
magnitude worse. The reality is that a small team of people directly employed
by the government working fairly effectively can build and discard their stack
as many times as they want and still be significantly cheaper than getting a
big company to do it.

~~~
csmithuk
I watch github, I watch their blog, I read interviews, I get the picture.

It's my job to look at dysfunctional teams both from a technology and a
process perspective. I've seen teams like this many times before. They are
expensive, inefficient and the return is considerably lower than the
investment has promised.

Just because the historic approaches are worse doesn't exclude these guys from
scrutiny. They'll quite happily piss £40k of dev cost up the wall while other
departments are arguing over £200 ultrasounds for cancer patients. Scrutiny
must be universal and unforgiving.

~~~
mattmanser
So long answer, short, you don't know.

I've not been watching them closely, but they are delivering, which seems an
extremely strong indication they're not dysfunctional at all.

Every now and then I end up on a gov site they've redone and it's immediately
obvious they've had at it because it's easy to use, responsive, etc.

You're sounding like one of those pointy haired bosses that don't understand
that good developers play to succeed, and it doesn't always pay off. But if
you stop them you end up with crap because the good people leave.

~~~
code_not_curse
Got to say it sounds like you were pretty far away too, but the page loads
quick so it is ok they redeveloped the stack with Ruby, Scala, Go, and when
they get bored and want to learn Elixir or Erlang, maybe they rewrite it
again. After all, it is only our taxes paying for it.

Sounds more like a pointy haired boss to me.

------
csmithuk
No. They shouldn't. They are publicly funded so efficiency of cash flow is
important. No reward should be required in this circumstance apart from
perhaps an acknowledgement.

They should operate an open submission policy though i.e. a bug report form
and actually feed back to people.

~~~
shawabawa3
> They are publicly funded so efficiency of cash flow is important

Bug bounty rewards are orders of magnitude cheaper than the damage the bugs
can cause.

If they have a bug report form at all and employ people to screen and respond
to bug reports, the bounty costs probably wont even add up to the cost of 1
additional employee

~~~
yerma
I disagree, when you understand the way UK government works, any compromises
will be cheaper in nearly every case along with requiring no action on their
part in the first place which is even better. Planning the creation of a team
to handle this will likely run in to the millions before you've even begun,
that is the way it works. And noone resigns they just go in to hiding for a
while ;)

------
Nursie
I'm still waiting for a response on what sort of privacy analysis took place
when they decided to use Google Analytics to track and analyse UK citizens
interactions with UK government.

It still doesn't smell right.

------
JamesBaxter
Maybe there should be a public record of the bugs and who found them,
something you could point to on a CV.

~~~
edent
That could be a very interesting idea. I know Google run a Hall of Fame, and
Facebook do something similar.

------
jpswade
If bugs are an issue, why not get started and fix them?

* [https://github.com/alphagov/](https://github.com/alphagov/)

* [http://alphagov.github.io/](http://alphagov.github.io/)

* [https://gds.blog.gov.uk/2012/10/12/coding-in-the-open/](https://gds.blog.gov.uk/2012/10/12/coding-in-the-open/)

Looks great on your CV, you're helping your government do it right, everyone's
a winner.

~~~
edent
I'm not specifically talking about [https://gov.uk/](https://gov.uk/) but
rather all of X.gov.uk - like HMRC, DWP, etc.

That said, is there a way on GitHub to _privately_ raise a security related
issue without the whole world seeing it?

~~~
jpswade
Many of them are now open source too:

* [http://government.github.com/community/](http://government.github.com/community/)

For example:

* [https://github.com/hmrc](https://github.com/hmrc)

Sure it's not everything yet, but it's progress. You can still reach the right
people and get involved.

