

Facebook bug bounty: secondary damage bugs and fairness - franjkovic
http://josipfranjkovic.blogspot.com/2013/11/facebook-bug-bounty-secondary-damage.html

======
thetrb
Nice, but these bug bounty programs must be one of the cheapest possible ways
to "outsource" QA work. Paying a few thousand dollars for a critical security
hole? That's extremely cheap compared to a regular QA department.

I'm of course not saying that it replaces the QA department, but even if they
hire only 1 person less because of these programs it's already financially
worth it for them.

~~~
Xylakant
I'd say the biggest impact is that it encourages a behavior that a lot of
people people tend to show anyways: If we find a bug, most of us are inclined
to report it, not abuse it. I'd assume that a lot of people tend not to report
bugs when they have the feeling that it only costs them time for no benefit.
Now, with a bug bounty you're shifting the equation towards the desired
outcome: Taking an hour of your time to write a bug report can actually pay
off for you, even if only one in five bugs get the minimum reward. Granted,
you could sell a critical exploit for much more money, but most humans are
intrinsically biased to do "the right thing" and by rewarding people for doing
the right thing and making that reward public, you're reinforcing that bias.

It's still a cheap way to get bug reports, but I don't think it's about
replacing QA. It's about creating a climate where bugs missed by QA have an
increased likelyhood to end up on your desk since no QA could ever find all
bugs.

~~~
philk10
I'm a tester so maybe I notice bugs more than others and I do find a lot when
trying to use sites just to do my day to day business. I would report them if
sites made it easy to do so but in most cases it's really hard just to find a
contact email to report the problem to

------
hrrsn
Good on Facebook for being honest. Kudos!

------
franjkovic
Just added timeline for the report on blog.

