Please create an account to participate in the Slashdot moderation system


Forgot your password?
Bug Businesses Open Source The Almighty Buck

Study Finds Bug Bounty Programs Extremely Cost-Effective 95 95

itwbennett writes "U.C. Berkeley researchers have determined that crowdsourcing bug-finding is a far better investment than hiring employees to do the job. Here's the math: Over the last three years, Google has paid $580,000 and Mozilla has paid $570,000 for bugs found in their Chrome and Firefox browsers — and hundreds of vulnerabilities have been fixed. Compare that to the average annual cost of a single North American developer (about $100,000, plus 50% overhead), 'we see that the cost of either of these VRPs (vulnerability reward programs) is comparable to the cost of just one member of the browser security team,' the researchers wrote (PDF). And the crowdsourcing also uncovered more bugs than a single full-time developer could find."
This discussion has been archived. No new comments can be posted.

Study Finds Bug Bounty Programs Extremely Cost-Effective

Comments Filter:
  • Incentives (Score:5, Informative)

    by Todd Knarr (15451) on Wednesday July 10, 2013 @12:55PM (#44240481) Homepage

    The major problem is that on-staff developers are usually discouraged from going on bug-hunts. Management would rather have them developing new features, so they won't allocate time towards finding bugs. When what the company policy towards finding bugs is conflicts with how your manager assigns you tasks, guess which one wins. Worse, most of the time an employee who ignores his to-do list to go find problems ends up penalized either explicitly (by bad reviews) or implicitly (negative impact from people being annoyed that he made work for them). Outsiders in these bounty programs don't have to worry about a manager assigning them 100% to new features and 0% to finding vulnerabilities and they don't have to worry about the impact of bad reviews or negative comments by managers about the extra work they created for everybody.

  • Re:Incentives (Score:5, Informative)

    by VorpalRodent (964940) on Wednesday July 10, 2013 @12:59PM (#44240563)


    And not just bug hunts. I have a laundry list of things that need to be refactored, but every time we think we might have a chance to do so, project management decides something else is more important. We have people complaining about things being slow, but when told that we need to spend time to make it faster, we instead get directed at new features or, worse, tweaks for the sake of a single non-representative customer that happens to have the ear of the project owner.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein