Hacker News new | past | comments | ask | show | jobs | submit login

Apple should do something like this. They are in fact the only major tech company not to have a bounty program[1]. That, combined with the fact that they have just recorded the single largest quarterly profit for any corporation ever in history[2] makes it pretty embarrassing to see that it would cost so little yet they still haven't done it.

[1] http://www.pandasecurity.com/mediacenter/security/twitter-bo...

[2] https://en.wikipedia.org/wiki/List_of_largest_corporate_prof...

First, while I generally advocate for bug bounty programs, don't be fooled by the apparent cost.

Well known companies (especially those that pay out a bounty) typically receive tens of thousands of formal security reports a year, all from people hoping for a bounty and a place on the "Hall of Fame" list. It's very lucrative and competitive for aspiring security researchers in developing countries to learn information security this way.

Unfortunately, the most well known companies also average between 5% and 10% report validity (at the highest), which means that they sink hundreds of engineering hours into investigating spurious reports. In fact, there are security engineers at Yahoo, Google and Facebook who, despite it not being the entirety of their job description, almost exclusively fill their time by investigating reports.

To quantify this, if you estimate that about 200 engineering hours are spent on investigating reports each month by the security team (very conservative estimate), about 7% of reports are valid, and the cost of a security engineer's time is about $100,000, you quickly see that a bug bounty for the largest companies burns through millions of dollars a year more than the actual bounties paid out. These numbers might actually increase if you take into account the fully loaded cost of each security engineer, or their average salaries are higher.

I think it would be great if more companies embraced bug bounties, but to be very honest, the state of most programs' fiscal management is frankly a mess right now.

Second, consider that Apple does have a responsible disclosure program (complete with "Hall of Fame" honorable mention), and that many other "major" tech companies have excellent security without paying out bounties for responsible disclosure. Microsoft had a responsible disclosure program for a long time, and only recently introduced bounties (and the bounties are still for a very limited scope compared to the size of Microsoft's properties). Amazon also doesn't pay out bounties for responsible disclosure.

There is really no reason to not have a responsible disclosure program, but there are coherent arguments against having a bug bounty program.

Even if you spend 10x in Manpower what you spend in bounties, it's still a pittance compared to the cost and negative publicity of one incident per year. And those engineers are not going to be completely useless, either; They're going to be fixing bugs, finding rough spots, etc, while they investigate those reports.

This is a strong perhaps. It is obviously dangerous to try to estimate a lower bound for negative publicity related to security, but it is also less obviously dangerous to refrain from estimating an upper bound (or at least attempting to do so).

It is fiscally irresponsible to invest too little in security or too much in security. Software security is a nonalgorithmic problem, and the best you can do is risk management.

Look at it this way: if you spent 300 engineering hours a month investigating spurious reports and the only valid reports you ever received were for cross-site request forgery attacks on non-sensitive profile actions, it does not matter what the ivory tower ideal of the bug bounty was, you wasted resources.

"Given enough eyeballs, all bugs are shallow" is like the worst case scenario for an algorithm. Sure, it works, but at what cost? What if you had an internal team penetration testing everything and a private bug bounty program? What if you exclusively outsource to NCC Group or Accuvant?

There is no hard absolute in this. It's generally good to have a bug bounty program, but you really need to be aware of the numbers. For example, Yahoo actually reduced the payments they were giving in bounties for the same vulnerabilities at the same severity because they did not anticipate how many would be found of that type.

Yes, investigating reports is not a sunk cost. Security engineering is all about doing code reviews, which is what this is. There are also ways to optimize which reports you take seriously.

The real reason bug bounties are not in place is mostly a combination of insecurity and arrogance.

Maybe Google should just start paying bounties for reported bugs in apple's software.

They do:


Google and Apple both have top-notch security teams, but they also have different strengths and weaknesses. Google's relationship with the security research community is a definite strength.

Agreed. In particular, Chris Evans is brilliant and friendly. :)

(Can't comment on lcamtuf or the others on their team, as I've never communicated with them.)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact