John PescatoreGoogle and Mozilla recently announced they are increasing the “bounty” they pay to external parties who find vulnerabilities in their products to about $3,000 US. Both believe the bug bounty programs have been successful, but most major software vendors like Microsoft or Oracle or even Apple do not pay for bugs and don’t believe the practice increases security. Who is right?
Any software flaw discovered and responsibly reported to the vendor is a security improvement over one that is discovered and exploited. If paying for disclosure increases the number that are reported rather than exploited, that’s a good thing. But, let’s look at the numbers.
Google reports (I couldn’t find similar Mozilla data) that in the first 6 months of the program it paid a total of $16,846 for 28 reported serious vulnerabilities in Chrome and related Google code. Now, many of those would have been responsibly disclosed even if payment wasn’t offered – I’m going to assume that ratio is 50%. I’m also going to assume that Google has some administrative overhead for this program and I’m going to say it works out to about 1/4 of a full time employee or (including overhead) about $20,000 over the 6 month period.
That means Google spent about $36,000 for 14 vulnerabilities that wouldn’t have reported if they didn’t spend the $36,000, or about $2,600 per flaw. Now, let’s say instead Google hired one additional skilled security tester at $200,000 (through overhead) who worked 2,000 hours per year looking for flaws in Google code with full access to Google tools, code and support.
If that internal tester found more than 79 flaws in a year (about 1.5 per week), then paying external folks who find bugs means Google is wasting money – the gain is mostly publicity. More importantly, if that extra internal tester found just one single flaw before Google shipped the code, the positive benefit would swamp any and all discovery of flaws after the product has shipped and is in use.
Now, Google has lots of money – no doubt it can hire more internal testers(or even better, better architects and developers who write less flawed code) and pay for external parties to find flaws in Google software that Google testers could not find. However, the focus on finding flaws after the product ships bothers me, especially as Google tries to sell software and services to enterprises and government agencies.
The math pretty much says that for software vendors to pay for vulnerabilities may make sense for publicity, but not so much for security.
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment