Mandatory bug-bounties from major vendors


#1

[Permalink]


#2

Its not likely to happen. The companies will cry that the gov’t is interfering with how they do business or some such.

However, as consumers, we could include such behaviour as part of our decision making. That is, we buy products from those companies that voluntarily have such bounty programs.


#3

Bug bounties can be a great source of bonus income for the developers of said apps. All they have to do is slip a subtle bug into the code here or there, then split the bounty with their buddy who discovers these subtle bugs.


#4

That would quite effectively hand a tool for competition crushing to all the existing major software companies. It would create an incentive to find a vulnerability in a competitor’s software, especially a new or disruptive startup, where a bounty could kill them off (or force them to sell early).

A nice idea, but it would empower those who already have a lot of resources, and weaken those who are new or innovative. A disincentive to innovate or take risks by creating a monetary penalty for making mistakes.

We would be stuck with Windows 7 or 8 forever, and whatever feline OS is currently happening. Instead of an iterative and ongoing progression of improvements (and missteps, of course) we would stagnate.

Empowers existing high cash companies, punishes innovation and rewards stagnation, this sounds like it is almost guaranteed to become law.


#5

I can’t imagine letting a jury decide.

If it’s a weakness in a protocol, who pays?


#6

Not just a bounty, but a repeating and increasing bounty: 3 months after the vulnerability is reported if the vendor hasn’t notified users about it or 6 months if they have, the vulnerability is valid for being reported again and the bounty is multiplied by 5. The vendor may avoid liability for the bounty if the vulnerable software is released under a license which would allow the person reporting the vulnerability or any other party who knows of it to fix it and release a version of the software without the vulnerability (whether they actually do so is irrelevant).


#7

i can’t help but find humour in the fact that brian krebs also (possibly inadvertently) compared the idea of mandatory bug bounties to eating babies (a modest proposal indeed!)

it wouldn’t surprise me if big wealthy companies flourished under the plan while small poor companies died off (not unlike the outcomes for the wealthy and poor under jonathan swift’s original).


#8

Yeah, good luck with that (and I’m on the bounty payment committee at my company).

Leaving aside the merits of the idea, I think Apple, Google, and Microsoft would fight tooth and nail (using lots of money and lobbyists) to keep this from getting passed in the US. Even if it was passed here, it would have to be passed as a law everywhere to work. It isn’t going to happen.


#9

Except that doesn’t happen, gjbloom, and people watch for it. My company doesn’t pay bounties to employees or normal code contributors.


#10

I argued when we discussed this at work yesterday that this would possibly crush small and medium sized code development shops. A small company with a very popular app could get financially wiped out by a high “bill” for vulns from the government.


#12

Fortunately, GPL’d software doesn’t have bugs!


#13

This topic was automatically closed after 5 days. New replies are no longer allowed.