How Bug Bounties Are Like Rat Farming 140
Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."
What the hell (Score:5, Insightful)
Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).
But it turns out that he knows more about security than one would think. Maybe even more than he might think.
Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).
The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
Re: (Score:1)
I don't know but the article's last sentence is the only one that asserts that bugs are manufactured. It's argument is "Yes, yes they are!" Solid, totally solid, line of reasoning I'll use the next time I need to conjure a phantom.
Re: (Score:2)
The analogy is rock solid - let me rephrase it cars. Suppose you are a car manufacturer who wants to sell more cars. Well, you could do that by offering a free lifetime supply of gas for every purchased car. Pretty soon people will queue up to buy your cars. And it's a good thing !
Re: (Score:2)
Where is BadAnalogyGuy when you need him?
I think the point is that with the bug bounties, researchers are busy creating new classes of bugs and 'sploits, and turning them in for the bounty. Instead of being lazy and not creating new types of 'sploits, or worse, stumbling across bugs and selling them to the botnets instead.
The point is, it's better that the security researchers are finding and disclosing more new types of attacks thanks to the bug bounties. If they weren't finding new 'sploits, it doesn't
Re: (Score:2)
The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something.
This whole situation always reminds me of the UniSys RATS game on the BTOS operating system, on big green minicomputers in the late 80s early 90s, where the "easiest" way to get the high score was to camp on the rat generating colony deep within the maze, rather than sniping individual rats while running the corridors.
Re: (Score:2)
The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something. Unless they have some sort of awesome recipe for rats. But that wasn't the intent of the rat bounty.
The rat analogy breaks down well before that.
Anyone can breed a rat. But only the developers can create or leave a bug in their own software.
Remember this is about "software vendors offering bug bounties", presumably for bugs in their own packages.
That's a far cry from Google offering a bounty on a bug in Joe Budding Programmer's CS 101 project.
Re: (Score:2)
Anyone can breed a rat. But only the developers can create or leave a bug in their own software.
I love this quote. I think it gets better without context.
Re: (Score:2)
Let me rephrase it in the context of Star Wars. This is Chewbacca. He's a Wookie....
Re: (Score:2)
Impressively, the Slashdot summary manages to be more informative than the article itself, while only quoting the article!
Re: (Score:2)
“Shortly before the Patrician came to power there was a terrible plague of rats. The city council countered it by offering twenty pence for every rat tail. This did, for a week or two, reduce the number of rats—and then people were suddenly queueing up with tails, the city treasury was being drained, and no one seemed to be doing much work. And there still seemed to be a lot of rats around. Lord Vetinari had listened carefully while the problem was explained, and had solved the thing with one memorable phrase which said a lot about him, about the folly of bounty offers, and about the natural instinct of Ankh-Morporkians in any situation involving money: “Tax the rat farms.”
Stealth edit by Dennis Fisher (Score:2)
Hopefully Kaspersky Lab (the owners of threatpost.com) will be able to extract some sort of apology, or at least a clarification that edits done after the post should be clearly marked as such.
If you don't want to use the feedback form, you can email nicole.lawler, greg.sabey, or alejandro.arango, all at kaspersky dot com.
Re: (Score:2)
Re: (Score:2)
No, the analogy makes no sense at all. It would only make sense if the developers were adding bugs to the code to collect the bounties. This is not what's being described.
The article is there to fill space and get ad clicks. Like most of the IT press.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.
But that part isn't notable or interesting.
The whole point of the rat bounty is to coax people into hunting wild rats, who wouldn't be doing it without the monetary incentive. Just like an external security analyst, the legitimate vermin killer is only doing it for the money.
What makes the rat farming anecdote notable, is that people would exploit the scheme by claiming the money while actually making the problem worse. But the bug bounty story has no parallel for that interesting part -- unless someone act
Re: (Score:3)
Re: (Score:2)
My thoughts exactly on bugs vs rats.
Re: (Score:2)
If you want to farm rats (which I strongly advise against, as it's a waste of turns -- better to farm wolves or spiders at a higher level), first you need to make sure you're on a level with minimal corruption. Then you need to get a wererat onto the level somehow (making it follow you from an adjacent level is usually the best way). Put yourself in a corner (or along a wall), and hack away at the summoned rats. This should be suf
Re: (Score:2)
But at any rate, writing bugs into code usually doesn't involve any of that.
What do you mean, it doesn't? It's compiling [xkcd.com]!
Re: (Score:2)
I saw Bugs vs. Rats, it was pretty cool. I'm still waiting for the sequel, Rock, Paper, Scissors vs. The World, with Nicholas Cage as Spock. That one's going to r0xx0rz!
-dZ.
Re: (Score:1)
Yea, WTF happened here? The last line of TFS sounded like a pretty interesting last line to the first paragraph of an article. Except it turned out to be the last line of the article, where it made even less fucking sense than it did in TFS. I honestly don't understand how this got published, much less why the fuck someone read it, thought "this is interesting" and then submitted it to slashdot. I do however, fully understand how it made the front page, since it's quite obvious that no editor bothered t
Re: (Score:2)
Stephen Dubner is a smart guy, and I'm sure he had a solid point to make.
I can only imagine that this reporter has failed to relay it correctly.
What confuses me most is the "and that's a good thing" at the end. Mystifying.
Re: (Score:3)
this whole article is mostly pointless (besides the interesting story about rat farming).
Which itself seems to be a fabrication (unless this is the one story unavailable anywhere else on the internet). Johannesburg certainly has a rat problem, but there's no reports of the city paying bounties.
http://www.news24.com/SouthAfrica/News/Johannesburg-waging-war-against-rats-20110801 [news24.com]
http://www.news24.com/SouthAfrica/News/Anti-rat-campaign-moves-to-Soweto-20110812 [news24.com]
Re: (Score:2)
Re: (Score:2)
Are you sure they were rats? The Canadian prairies don't have a lot of rats (Alberta has none). They DO have prairie dogs and Richardson's ground squirrels though, and there have been various bounties at various times on those. Apparently in Saskatchewan once the bounty only required turning in the tail so you'd catch the little guy, whirl him around by the tail until it tore off, and let him go.
Re: (Score:2)
See, this is why history is a pain in the ass to study; anything but a first-hand account is pretty much garbage.
Re: (Score:2)
A stronger citation for rat farming (Score:2)
Re: (Score:2)
That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, not even to mention breading them for said imaginative payment on delivery of dead rodent. It's completely ludicrous and utter drivel.
Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.
Re: (Score:2)
That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, ... Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.
Great answer! I've read similar comments from Chinese sources about various pest problems there. Their similar replies are especially effective, because the rest of the world has a stereotype of Chinese that they'll eat any sort of strange animals. The fact that this is semi-true just adds to the effectiveness of the humor. I once had a Chinese friend who liked to tell people that his relatives back home trapped and ate second children. He really enjoyed the responses to this claim.
Of course, if a b
Re: (Score:2)
Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).
But it turns out that he knows more about security than one would think. Maybe even more than he might think.
Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).
The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
You did miss something. The researchers are not injecting bugs. Instead, they are "farming for bugs" in the sense that they (presumably) put the software through a battery of tests (the "breeding" process). His point was that the bounty system was originally to motivate USERS to submit reports (like in S.A. where the point was to encourage citizens turn in rat bodies). Instead, you've now got security researchers who may have absolutely no interest in using the software itself but have a monetary incentive
Re: (Score:2)
I love the article. It starts with a snarky paragraph about outsiders who don't know anything about security drawing (presumably) flawed analogies to things in their own area of expertise, says Dubner is different, then goes on to credulously relate a flawed analogy Dubner made between computer security and rat farming (which is presumably in his area of expertise).
The irony is strong with this one. Unless he was serious....
Another example of an economist talking without a complete understanding of a subj
Re: (Score:2)
The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. And, here is the line in TFA that states that out right. It is called headline sensationalism, pure and simple.
Re: (Score:2)
Those last two paragraphs were added later, without any indication of them being an after original publication edit.
Re: (Score:2)
The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
No, that's EXACTLY the point he is making. He even says in the article that researchers aren't creating bugs, they are merely looking closely at the software with the purpose of finding those bugs. His analogy with rat farming isn't a very good one, but the main thrust of the article is that bug bounties ARE working--- and that commercial companies are recognizing that.
The rat farming analogy works if you think about the tools researchers create purely for detecting bugs in the target code. Programs that
Re: (Score:2)
The amusing piece of flawed logic appears to be the idea (very very common in the popular and business press) of thinking that a bug that nobody knows about is a bug that doesn't exist. It's the logical equivalent of assuming that if you can't see it, it can't see you.
Re:His point (Score:4, Insightful)
It's correct to observe that an incentive scheme could, conceivably, tempt developers into deliberately inserting bugs.
This would happen if you:
What the article doesn't do is point at real-world instances of this happening, or explain why "that's a good thing".
Re: (Score:2)
Presumably nobody is dumb enough to pay bounties to contributors who find bugs in their own code.
Re: (Score:2)
1. I think you underestimate how dumb people can be
2. It's trivial to work around that obstacle with a little collusion.
Re: (Score:2)
no, but it is trivial to setup an alias or work with a friend and split the profits
Re: (Score:2)
It's not trivial to get write access to most projects so you wouldn't want to be switching developer accounts too much. And bug bounties require information on who to pay, so you wouldn't be able to just make up names for that either. And your turnaround between introducing a bug and finding it would have to be fairly quick to avoid other people nabbing them on you. Which all adds up to some pretty suspicious patterns.
Re: (Score:2)
Unless I missed something in the article, the analogy here makes absolutely no sense.
Maybe they meant something like: 1) researchers find bugs in lab 2) they breed/multiply them, i.e. cut them into pieces and submit each sub-bug/symptom separately instead of the root cause that's responsible for all those sub-bugs 3) profit by way of quasi-redundant bug reports 4) ??? (read: I'm just guessing how you could maximise your profit in a way similarily malicious to the rat-breeding issue)
Ahhh. Well done : this at least makes some sense. I realise this is all speculation at this point, but the theory is that bug bounties make for bug reports that are too 'fine grained' because that's more profitable. Like, instead of "Bug : Language translation is broken in latest build" you get : "Bug : French translation broken..", "Bug : German Translation broken...", etc?
Re: (Score:2)
X is used by modules A, B and C. Instead of submitting the bug in X, you find where the bug manifests (i.e. in A, B and C) and only submit these symptoms. Of course you'd have to obfuscate your findings enough so the bug-fixer doesn't actually find the bug in X too early. Thus you end up with 3 bug-reports (4 once you've fully exploited the real bug) instead of just the 1.
This is more likely to happen if X, A, B & C are managed by different independent bounty programs. If managed by a single company, I doubt the submitters would be successful.
Re: (Score:2)
Kind of a stretch from what was actually said in the article, but I can see that point.
Re: (Score:2)
Dumb article. (Score:4, Informative)
There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.
Re: (Score:2)
FOADIAF
Fly on a dinosaur in a forest?
Re: (Score:2)
Re: (Score:2)
I suppose if I don't fly off, I would die in a fire. But wouldn't it be more grammatically correct to say "OR die in a fire"? And if I'm not flying on a dinosaur, then what will I fly on?
No incomplete summary (Score:2)
- It's not a dumb article, it's just a happy one
We're just confused because articles are always expected to be negative, this one isn't, now smile
Re: (Score:2)
No, we're confused because the rat farming analogy has no bearing on the good news you noticed.
Rat farming: Incentive scheme leads to unintended, unexpected, undesirable outcome
Bug bounty: Incentive scheme leads to intended, expected, desirable outcome
Re: (Score:2)
That's because those paragaphs were added to the article after the fact (and after the summary was written - so the summary isn't incomplete it reflects the idiocitic article at the time).
Re: (Score:2)
Re: (Score:2)
My question is. Who made this idiotic remark?
Stephen Dubner? or the journalist who's claiming to paraphrase what Stephen Dubner said during his speech?
I'm crossing my fingers that's it's not the Freakonomics co-author, otherwise I'll never dare quoting anything again from that book.
Re: (Score:2)
The conclusion is false:
There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.
Agreed - with a couple of points. The bounties are only for exploitable bugs, there's no mention of developers deliberately introducing bugs (let alone evidence), so researchers can "find" them and profit.
I like the quoted authors economics work - but this has zero to do with economics. Having done triage for bug reports I know single bugs can have multiple reports, and there are no shortage of fake bugs - but it has no bearing on bounties. (sigh) just another bullshit "hype my security conference that hyp
Don't RTFA (Score:2)
It doesn't say anything more than the Slashdot topic.
Re: (Score:2)
It doesn't say anything more than the Slashdot topic.
It does now. A few sentences have been added that attempt to counteract the idiocy of the original claim implying that the bug "researchers" are introducing bugs into someone else's software to collect the bounty.
It's still a rather crappy analogy. Methinks it's more of an attempt to disparage the bug hunters. This is quite common in the software biz, of course, but this author found an original way to discredit people's attempts to improve software quality.
ObDilbert (Score:4, Funny)
"I'm gonna write me a new minivan this afternoon!"
http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix [dilbert.com]
you can not breed the same bug again (Score:2)
you can breed rats, and they are rats. If you would get paid for a grey rat only once and not for every one, then you need to turn in brown, striped, checkered, white, blue, greeN, yellow rats. that would make the farming task way more complicated. Especially as there are other rat farmers out there doing the same.
And once all colors of rats have been done, it's over. no more rats...
That's the worst analogy I've ever seen (Score:4, Insightful)
And that includes slashdot car and pizza analogies.
Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).
But he isn't. So the anology is complete and utter garbage.
Re: (Score:2)
Maybe I can explain it a little better...
Okay, picture a car.
Does the analogy make any more sense now?
Re: (Score:2)
And that includes slashdot car and pizza analogies.
Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).
But he isn't. So the anology is complete and utter garbage.
Where's BadAnalogyGuy when you need him? Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
Re: (Score:2)
Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
They're a lot like stone soup analogies.
Re: (Score:2)
Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
They're a lot like stone soup analogies.
So, one poster says "This computer security situation is like stone soup. But what would make it more relevant would be if it were also like a pizza with a stone soup topping."
And then another poster says "That is a good analogy, but it would be even better if it were also like a car made entirely of pizza with a stone soup topping..."
Re: (Score:2)
Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
They're a lot like stone soup analogies.
Actually, the pizza analogy works pretty well with the rat-farming story. That one says that if you offer money for dead rats, you encourage people to produce rats that they sell to you. Similarly, if you buy pizzas from pizza makers, that just encourages them to make more pizzas, which they then sell to people like you.
But I don't think either of these works too well as analogies to software bugs. The explanation probably has to do with the fact that nobody actually buys the bugs themselves; they pay
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And that includes slashdot car and pizza analogies.
To anyone confused over that statement, let me explain: The analogy given here is like a busted fourth- or fifth-hand Chevy stationwagon. Nobody really wants it and it doesn't really work, but it does fill space AND it benefits the person who owns it just barely more than not having any car would.
No meta-analogies!
"Tax the rat farms." - Vetinari (Score:5, Informative)
Okay, so who came up with this idea first? South Africa? Or Terry Pratchett?
Rat farming (Score:2)
I heard about the rat farming story as a kid - and that is many years ago. The idea of relocating the story from 19th century US to South Africa strikes me as odd. But who knows, maybe the SA story has been verified.
Bad analogy, bad article (Score:2)
Re: (Score:2)
That's a very inflexible interpretation. Here's how to coax the analogy into making sense. The general theme is how rewards can be counterproductive by shifting the aim of those being rewarded. I'll take an old story about chimpansees, art and bananas. The chimpansees were given paint and paper to play with, and they had a lot of fun, making nice things. Then rewards were introduced: make a painting, get a banana. This changed the character of the game for the chimpansees. Paintings became just a means for
Re: (Score:2)
I think what you're saying is, it's not a direct analogy.
"Here's an example of an incentive scheme that has an unexpected and undesirable outcome".
"Bug bounties can also have unexpected outcomes" -- but with a quite different mechanism.
I don't think Dubner would have done that. Freakonomics (the book) contains loads of examples of unexpected outcomes due to skewed incentives. He could have found one that fitted better.
No, I'm pretty sure this is just a reporter failing to convey what was actually said.
(Favo
Re: (Score:2)
He could have come up with a better example(he could have taken your example), but it's not bad and I explained why. If you imagine a kind of tree structure(or a directional web) with edges indicating a relationship "is kind of a .. story", then the rat farming story is a story where incentives act counterproductively because they shift the motivation away from the original intent .
This is a good node, the analogy is good.
There is also a more detailed node "incentives leading to a situation where people act
Re: (Score:2)
Actually, there is a variable in the stories which is the amount of cheating. I think I'd prefer a story with a minimal sense of cheating.
Reminds me of the article from thedailywtf (Score:2)
Horrible, crappy, Half an article (Score:2)
2. It just says it is similar to the bug hunting business - with NO explanation. No real discussion of the bug hunting business, no explanation why they are similar. It just assumes you will believe they are similar, with no reason. I don't see any connection.
3. It concludes with "and that's a good thing" with no explanation of why it is a good thing. Bull.
If I saw this in a blog, I would call it a bad blog. As an article, it is at best half of
Re: (Score:3)
The author basically gave a review of that speech, and left out all the important stuff, just because he was obsessed with the stupid rat farming example.
I will have to go looking for the real speech, it might actually be interesting
Dilbert did this in 1998 (Score:2)
http://www.klocwork.com/blog/2009/10/im-gonna-write-me-a-new-minivan-is-zero-software-bugs-the-right-goal/ [klocwork.com]
I'll just quote the first comment from TFA (Score:2)
WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus
Ditto
Better analogy: imported rats, not farmed (Score:2)
I think the point he's getting at is that a lot of the bugs are not the ones that would trouble users (i.e. they only appear "in the lab"). So although it's still good to fix them, they are low priority.
The farming analogy is bad because it implies people are creating these bugs just to turn them in, which as everyone is pointing out, doesn't make sense and would reflect poorly on the buggy developer, so it would be self-limiting. Instead, I propose he should have said "imported" rats instead of "farmed"
Re: (Score:2)
What does $1265 of bugs look like [daemonology.net]
Looks like this wasn't a slashdot article, maybe it should be
Re: (Score:2)
As I've already said, Dubner's a clever bloke. If he was trying to make the point you've made, then he'd have found a suitable analogy. He has at least two bookfuls.
No, this is a reporter getting the wrong end of the stick.
But let's think about your observations.
The rat farming thing is fairly interesting. You can imagine the rat bounty seeming like a good idea. People subverting it by farming rats would come as a surprise to a lot of people. Freakonomics is full of stories like that.
Your observation, that
Re: (Score:2)
Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?
Well, I could make some argument about whether it's generally worthwhile even for a few significant bugs... if they are significant, it's likely they would be found and reported in short order regardless of a bounty. And especially if there's a backlog of bugs, I'd say those should take priority over finding new bugs that haven't actually bothered anyone yet.
The security aspect is different though, because those are bugs that have a motivation to go unreported. And there's the 'papercut' type, where small
badanalogyguy writes security articles now? (Score:2)
How exactly do researches 'plant' bugs into code released by another party?
Researcher: "Look look! We found a bug!"
Company: "Why yes you did! Wait... this isn't even our code! GTFO and stop wasting our time."
Re: (Score:2)
Business model!
1. Note missing feature in Firefox
2. Write missing functionality; include carefully obfuscated security bug
3. Donate code to Mozilla
4. "Find" and fix bug. Claim bounty.
5. Collapse, cackling, into your bed of dollar bills.
Re: (Score:2)
Business model!
1. Note missing feature in Firefox
2. Write missing functionality; include carefully obfuscated security bug
And that explains the new Firefox 5-week release cycle.
"Bugs for cash" scams can work - except... (Score:2)
... when a company happens to track who is the person responsible for a bug.
If there's no accountability, then a coder could generate bugs for a confederate on the outside to cash in on. Mind you, you'd need to make sure:
The actual analogy... (Score:2)
So, like I said, a very bad analogy.
Re: (Score:3)
Nothing like rat farming (Score:2)
The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances.
So it's actually nothing like rat farming.
Two paragraphs added to post (Score:2)
The (current) last two paragraphs of the article were added after many of the /. comments were posted.
Previous final sentences:
But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.
Added paragraphs:
The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could.
The idea of people raising rats for the express purpose of killing them likely isn't what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors' bug bounty programs. As they've continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.
Seems like an attempt to rescue the article from terminal idiocy. But it's just digging a deeper hole.
It's just like rat farming! Except that nobody's manufacturing defects deliberately.
Rat farming had unintended consequences! Bug bounties have exactly the consequences that their designers were aiming for: lots of people detecting bugs.
I just hope Dubner is BadAnalogyGuy (Score:2)
Okay, so in South Africa, bounties for dead rats had the unintended consequence of creating rat farmers which is 180 degrees counter to what the creators of the bounty wanted. It's a classic case of perverse incentives. On the other hand, the software bug bounties are resulting in more software bugs being found and fixed. Exactly what the creators of the software bug bounties wanted. And, no one, not even the bad-analogy-maker, is suggesting that the security researchers are introducing software bugs only t
Re: (Score:2)
I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.
Freakonomics is fine. This seems like a chinese whispers in the retelling.
Dilbert figured this out 15 years ago. (Score:3)
http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]
A true story (Score:2)
Nothing new to this.
Twenty years ago, I worked at a company (whose name you have all heard but I'd best not mention) which, among other things, produced development tools. A major release was coming up, and the word went out: company-wide cash bounty on bugs. The more severe, the bigger the bounty.
BUT... neither Development nor QA on the product team in question were entitled to participate.
An underground economy of bugs immediately arose. QA people would find bugs and tell their tech support buddies.
OK, Mystery solved (Score:2)
Another blog post, another site: http://www.leadershipblog.co.za/2010/08/11/stephen-dubner/ [leadershipblog.co.za]
It quotes Dubner directly. Dubner says nothing about bug bounties in relation to rat farming.
He talks about the rat farming anecdote, then talks about unintended consequences in general, in the realm of government, not software development.
His main observation seems to be that politicians have no incentive to create schemes that are immune to unintended consequences, because the unintended consequences are usually lon
Re: (Score:2)
The only farming going on is for ad impressions. That's why it says "and it's a good thing" at the end -- a good thing from his perspective that the story's author is getting paid, because he certainly hasn't done any work.