The Case For a Government Bug Bounty Program 53
Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."
Re:Bad idea (Score:5, Insightful)
Re:Public Debt - Privativing Profits (Score:4, Insightful)
It is worse than that. It is essentially rewarding companies for not taking security seriously.
There is software backed by companies which do offer a bug bounty, and there is software backed by companies which offer no bug bounty. Having a bug bounty for more software is desirable. But having government pay it for those companies, who do not pay it themselves, is not the proper solution. A much better solution would be that whenever the government buys software, it will primarily buy from companies, which do offer a bug bounty.
This will mean the software being bought is more likely to be secure. Additionally it will put a force on the market, driving it in the right direction.
The only situation where the government should be paying any bug bounties, is when the bugs are in software or services offered by the government. For example it could apply to security problems found in government websites. But if those products are bought from private companies in the first place, it should be made part of the contract, that the vendor will pay the bug bounty and fix the bug.