The Case For a Global, Compulsory Bug Bounty 81
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
Silly (Score:5, Insightful)
This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.
That's absurd (Score:4, Insightful)
That is an absurd argument. Yes some companies can and should offer bug bounties but if the only method you can rely on is out bidding the black market, then you've already lost.
Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.
Kill all startups (Score:4, Insightful)
I work for a startup. Not one of those few heavily-funded startups, but a regular startup with barely enough funding to scrape by in the first few years. Like most startups.
$150,000 is just ever so slightly more than two-tenths of one percent of my startup's annual revenue.
Asking an average startup to pay $150,000 for a security bug is like asking security researchers to work for $0.10 an hour.
Re:Kill all startups (Score:2, Insightful)
$150,000 is double the annual revenue of many smaller non american companies. (Think smaller companies with only two or three programmers - where a lot of the more useful/interesting software of the world comes from)
Forcing something like this would be a disaster.
Nonsense (Score:4, Insightful)
Re:Good idea... (Score:5, Insightful)
What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.
For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.
Re:That's absurd (Score:3, Insightful)
Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.
Who pays when a bug is found in the Linux kernel?
Re:Good idea... (Score:4, Insightful)
So in other words, this is about killing off independent developers. Only companies who can afford $156,000 per bug will be able to distribute programs. Free software will, of course, die overnight.
So... Apple or Microsoft?