Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software Technology

How Bug Bounties Are Like Rat Farming 140

Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."
This discussion has been archived. No new comments can be posted.

How Bug Bounties Are Like Rat Farming

Comments Filter:
  • What the hell (Score:5, Insightful)

    by Anrego ( 830717 ) * on Tuesday September 20, 2011 @10:01AM (#37456042)

    Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

    But it turns out that he knows more about security than one would think. Maybe even more than he might think.

    Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

    The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

    • by Anonymous Coward

      I don't know but the article's last sentence is the only one that asserts that bugs are manufactured. It's argument is "Yes, yes they are!" Solid, totally solid, line of reasoning I'll use the next time I need to conjure a phantom.

      • The analogy is rock solid - let me rephrase it cars. Suppose you are a car manufacturer who wants to sell more cars. Well, you could do that by offering a free lifetime supply of gas for every purchased car. Pretty soon people will queue up to buy your cars. And it's a good thing !

        • by rwa2 ( 4391 ) *

          Where is BadAnalogyGuy when you need him?

          I think the point is that with the bug bounties, researchers are busy creating new classes of bugs and 'sploits, and turning them in for the bounty. Instead of being lazy and not creating new types of 'sploits, or worse, stumbling across bugs and selling them to the botnets instead.

          The point is, it's better that the security researchers are finding and disclosing more new types of attacks thanks to the bug bounties. If they weren't finding new 'sploits, it doesn't

          • by vlm ( 69642 )

            The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something.

            This whole situation always reminds me of the UniSys RATS game on the BTOS operating system, on big green minicomputers in the late 80s early 90s, where the "easiest" way to get the high score was to camp on the rat generating colony deep within the maze, rather than sniping individual rats while running the corridors.

          • by icebike ( 68054 )

            The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something. Unless they have some sort of awesome recipe for rats. But that wasn't the intent of the rat bounty.

            The rat analogy breaks down well before that.

            Anyone can breed a rat. But only the developers can create or leave a bug in their own software.

            Remember this is about "software vendors offering bug bounties", presumably for bugs in their own packages.
            That's a far cry from Google offering a bounty on a bug in Joe Budding Programmer's CS 101 project.

            • by SnowZero ( 92219 )

              Anyone can breed a rat. But only the developers can create or leave a bug in their own software.

              I love this quote. I think it gets better without context.

        • by ceoyoyo ( 59147 )

          Let me rephrase it in the context of Star Wars. This is Chewbacca. He's a Wookie....

      • Impressively, the Slashdot summary manages to be more informative than the article itself, while only quoting the article!

        • well the op was familiar with the works of the great Sir pterry viz

          “Shortly before the Patrician came to power there was a terrible plague of rats. The city council countered it by offering twenty pence for every rat tail. This did, for a week or two, reduce the number of rats—and then people were suddenly queueing up with tails, the city treasury was being drained, and no one seemed to be doing much work. And there still seemed to be a lot of rats around. Lord Vetinari had listened carefully while the problem was explained, and had solved the thing with one memorable phrase which said a lot about him, about the folly of bounty offers, and about the natural instinct of Ankh-Morporkians in any situation involving money: “Tax the rat farms.”

      • He's added 2 more sentences to the article, trying to bury his assertion after all the negative reaction, but too many people saw the original and commented on it.

        Hopefully Kaspersky Lab (the owners of threatpost.com) will be able to extract some sort of apology, or at least a clarification that edits done after the post should be clearly marked as such.

        If you don't want to use the feedback form, you can email nicole.lawler, greg.sabey, or alejandro.arango, all at kaspersky dot com.

    • by Jmc23 ( 2353706 )
      Well, it was posted by timothy. What did you expect?
    • No, the analogy makes no sense at all. It would only make sense if the developers were adding bugs to the code to collect the bounties. This is not what's being described.

      The article is there to fill space and get ad clicks. Like most of the IT press.

      • I heard the devs are finding the bugs on iPhone killers and the bounties are paid in Bitcoins...
      • Exactly! The bug bounties are doing exactly what they are supposed to, give people other than the devs an incentive to find and report bugs. Something that previously usually only happened if it actually inconvenienced the user. Just because they are finding more bugs and glitches than expected in no way means they are somehow generating them for profit. That's why the analogy usually used it regarding bounty hunting. You are finding the unwanted elements and turning them in for profit, as opposed to the
      • by rs1n ( 1867908 )
        I didn't read the article, but from the quote in the summary, you're mixing up developers with external security analysts (citizens vs entrepreneurs from another place trying to score a buck). But, to get to your point -- you're right, the analysts aren't injecting bugs into the software. However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.
        • by slim ( 1652 )

          However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.

          But that part isn't notable or interesting.

          The whole point of the rat bounty is to coax people into hunting wild rats, who wouldn't be doing it without the monetary incentive. Just like an external security analyst, the legitimate vermin killer is only doing it for the money.

          What makes the rat farming anecdote notable, is that people would exploit the scheme by claiming the money while actually making the problem worse. But the bug bounty story has no parallel for that interesting part -- unless someone act

    • Yep, bloody stupid article by a bloody stupid journalist. No two ways about it.
    • by Aladrin ( 926209 )

      My thoughts exactly on bugs vs rats.

      • Writing bugs into code, even if on purpose, is *nothing* like rat farming.

        If you want to farm rats (which I strongly advise against, as it's a waste of turns -- better to farm wolves or spiders at a higher level), first you need to make sure you're on a level with minimal corruption. Then you need to get a wererat onto the level somehow (making it follow you from an adjacent level is usually the best way). Put yourself in a corner (or along a wall), and hack away at the summoned rats. This should be suf
      • by dzfoo ( 772245 )

        I saw Bugs vs. Rats, it was pretty cool. I'm still waiting for the sequel, Rock, Paper, Scissors vs. The World, with Nicholas Cage as Spock. That one's going to r0xx0rz!

                  -dZ.

    • by Anonymous Coward

      Yea, WTF happened here? The last line of TFS sounded like a pretty interesting last line to the first paragraph of an article. Except it turned out to be the last line of the article, where it made even less fucking sense than it did in TFS. I honestly don't understand how this got published, much less why the fuck someone read it, thought "this is interesting" and then submitted it to slashdot. I do however, fully understand how it made the front page, since it's quite obvious that no editor bothered t

    • by slim ( 1652 )

      Stephen Dubner is a smart guy, and I'm sure he had a solid point to make.

      I can only imagine that this reporter has failed to relay it correctly.

      What confuses me most is the "and that's a good thing" at the end. Mystifying.

    • this whole article is mostly pointless (besides the interesting story about rat farming).

      Which itself seems to be a fabrication (unless this is the one story unavailable anywhere else on the internet). Johannesburg certainly has a rat problem, but there's no reports of the city paying bounties.

      http://www.news24.com/SouthAfrica/News/Johannesburg-waging-war-against-rats-20110801 [news24.com]
      http://www.news24.com/SouthAfrica/News/Anti-rat-campaign-moves-to-Soweto-20110812 [news24.com]

      • by Toze ( 1668155 )
        I was going to say we had them in the Canadian prairies, but I find that there's no mention of it in the official history. My father and grandfather did mention hunting rats in rural Saskatchewan, though, and they have mentioned knowing or hearing about neighbors farming rats. However, this is 3rd-hand knowledge at best.
        • by ceoyoyo ( 59147 )

          Are you sure they were rats? The Canadian prairies don't have a lot of rats (Alberta has none). They DO have prairie dogs and Richardson's ground squirrels though, and there have been various bounties at various times on those. Apparently in Saskatchewan once the bounty only required turning in the tail so you'd catch the little guy, whirl him around by the tail until it tore off, and let him go.

          • by Toze ( 1668155 )
            Could have been gopher bounties and gopher farming, I guess, yeah. The tails were the things they specifically mentioned turning in, so it seems likely.
            See, this is why history is a pain in the ass to study; anything but a first-hand account is pretty much garbage.
      • I used Google rat farming site:wikipedia.org to find a citation in the Wikipedia article about perverse incentives [wikipedia.org]. I didn't read the original source [jhu.edu] because it appears to be paywalled and in French, and I am not affiliated with any of these subscribing institutions [jhu.edu].
      • That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, not even to mention breading them for said imaginative payment on delivery of dead rodent. It's completely ludicrous and utter drivel.

        Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.

        • by jc42 ( 318812 )

          That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, ... Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.

          Great answer! I've read similar comments from Chinese sources about various pest problems there. Their similar replies are especially effective, because the rest of the world has a stereotype of Chinese that they'll eat any sort of strange animals. The fact that this is semi-true just adds to the effectiveness of the humor. I once had a Chinese friend who liked to tell people that his relatives back home trapped and ate second children. He really enjoyed the responses to this claim.

          Of course, if a b

    • by rs1n ( 1867908 )

      Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

      But it turns out that he knows more about security than one would think. Maybe even more than he might think.

      Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

      The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

      You did miss something. The researchers are not injecting bugs. Instead, they are "farming for bugs" in the sense that they (presumably) put the software through a battery of tests (the "breeding" process). His point was that the bounty system was originally to motivate USERS to submit reports (like in S.A. where the point was to encourage citizens turn in rat bodies). Instead, you've now got security researchers who may have absolutely no interest in using the software itself but have a monetary incentive

    • by ceoyoyo ( 59147 )

      I love the article. It starts with a snarky paragraph about outsiders who don't know anything about security drawing (presumably) flawed analogies to things in their own area of expertise, says Dubner is different, then goes on to credulously relate a flawed analogy Dubner made between computer security and rat farming (which is presumably in his area of expertise).

      The irony is strong with this one. Unless he was serious....

      Another example of an economist talking without a complete understanding of a subj

    • The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. And, here is the line in TFA that states that out right. It is called headline sensationalism, pure and simple.

      • Those last two paragraphs were added later, without any indication of them being an after original publication edit.

    • by bgat ( 123664 )

      The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

      No, that's EXACTLY the point he is making. He even says in the article that researchers aren't creating bugs, they are merely looking closely at the software with the purpose of finding those bugs. His analogy with rat farming isn't a very good one, but the main thrust of the article is that bug bounties ARE working--- and that commercial companies are recognizing that.

      The rat farming analogy works if you think about the tools researchers create purely for detecting bugs in the target code. Programs that

    • The amusing piece of flawed logic appears to be the idea (very very common in the popular and business press) of thinking that a bug that nobody knows about is a bug that doesn't exist. It's the logical equivalent of assuming that if you can't see it, it can't see you.

  • Dumb article. (Score:4, Informative)

    by tomhudson ( 43916 ) <barbara@hudson.barbara-hudson@com> on Tuesday September 20, 2011 @10:06AM (#37456092) Journal
    The conclusion is false:

    But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

    There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.

    • FOADIAF

      Fly on a dinosaur in a forest?

      • F off and die in a fire (is what that acronyms means, a combination of the more common FOAD and DIAF)
        • I suppose if I don't fly off, I would die in a fire. But wouldn't it be more grammatically correct to say "OR die in a fire"? And if I'm not flying on a dinosaur, then what will I fly on?

    • If you read the article (I didn't at first either), it's says that researcher are finding bugs in a lab that would never have been found otherwise (not by hackers either), but concludes that this is a good thing. It's a happy story about how bug bounties are good for everybody, and leads to better software...
      - It's not a dumb article, it's just a happy one :)
      We're just confused because articles are always expected to be negative, this one isn't, now smile :)
      • by slim ( 1652 )

        No, we're confused because the rat farming analogy has no bearing on the good news you noticed.

        Rat farming: Incentive scheme leads to unintended, unexpected, undesirable outcome
        Bug bounty: Incentive scheme leads to intended, expected, desirable outcome

      • That's because those paragaphs were added to the article after the fact (and after the summary was written - so the summary isn't incomplete it reflects the idiocitic article at the time).

    • by rs1n ( 1867908 )
      People writing the software and researchers aren't necessarily the same group. In fact, I think they're more likely to be two sets with no intersection.
    • My question is. Who made this idiotic remark?

      Stephen Dubner? or the journalist who's claiming to paraphrase what Stephen Dubner said during his speech?

      I'm crossing my fingers that's it's not the Freakonomics co-author, otherwise I'll never dare quoting anything again from that book.

    • The conclusion is false:

      But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

      There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.

      Agreed - with a couple of points. The bounties are only for exploitable bugs, there's no mention of developers deliberately introducing bugs (let alone evidence), so researchers can "find" them and profit.

      I like the quoted authors economics work - but this has zero to do with economics. Having done triage for bug reports I know single bugs can have multiple reports, and there are no shortage of fake bugs - but it has no bearing on bounties. (sigh) just another bullshit "hype my security conference that hyp

  • It doesn't say anything more than the Slashdot topic.

    • by jc42 ( 318812 )

      It doesn't say anything more than the Slashdot topic.

      It does now. A few sentences have been added that attempt to counteract the idiocy of the original claim implying that the bug "researchers" are introducing bugs into someone else's software to collect the bounty.

      It's still a rather crappy analogy. Methinks it's more of an attempt to disparage the bug hunters. This is quite common in the software biz, of course, but this author found an original way to discredit people's attempts to improve software quality.

  • ObDilbert (Score:4, Funny)

    by DCheesi ( 150068 ) on Tuesday September 20, 2011 @10:07AM (#37456108) Homepage

    "I'm gonna write me a new minivan this afternoon!"

    http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix [dilbert.com]

  • you can breed rats, and they are rats. If you would get paid for a grey rat only once and not for every one, then you need to turn in brown, striped, checkered, white, blue, greeN, yellow rats. that would make the farming task way more complicated. Especially as there are other rat farmers out there doing the same.
    And once all colors of rats have been done, it's over. no more rats...

  • by nedlohs ( 1335013 ) on Tuesday September 20, 2011 @10:10AM (#37456170)

    And that includes slashdot car and pizza analogies.

    Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).

    But he isn't. So the anology is complete and utter garbage.

    • Maybe I can explain it a little better...

      Okay, picture a car.

      Does the analogy make any more sense now?

    • And that includes slashdot car and pizza analogies.

      Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).

      But he isn't. So the anology is complete and utter garbage.

      Where's BadAnalogyGuy when you need him? Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

      • by slim ( 1652 )

        Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

        They're a lot like stone soup analogies.

        • by lennier ( 44736 )

          Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

          They're a lot like stone soup analogies.

          So, one poster says "This computer security situation is like stone soup. But what would make it more relevant would be if it were also like a pizza with a stone soup topping."
          And then another poster says "That is a good analogy, but it would be even better if it were also like a car made entirely of pizza with a stone soup topping..."

        • by jc42 ( 318812 )

          Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

          They're a lot like stone soup analogies.

          Actually, the pizza analogy works pretty well with the rat-farming story. That one says that if you offer money for dead rats, you encourage people to produce rats that they sell to you. Similarly, if you buy pizzas from pizza makers, that just encourages them to make more pizzas, which they then sell to people like you.

          But I don't think either of these works too well as analogies to software bugs. The explanation probably has to do with the fact that nobody actually buys the bugs themselves; they pay

  • by Verteiron ( 224042 ) on Tuesday September 20, 2011 @10:11AM (#37456176) Homepage

    Okay, so who came up with this idea first? South Africa? Or Terry Pratchett?

  • I heard about the rat farming story as a kid - and that is many years ago. The idea of relocating the story from 19th century US to South Africa strikes me as odd. But who knows, maybe the SA story has been verified.

  • Unless people are putting bugs in open source software, then claiming the bounties for finding them, the analogy is just plain wrong.
    • That's a very inflexible interpretation. Here's how to coax the analogy into making sense. The general theme is how rewards can be counterproductive by shifting the aim of those being rewarded. I'll take an old story about chimpansees, art and bananas. The chimpansees were given paint and paper to play with, and they had a lot of fun, making nice things. Then rewards were introduced: make a painting, get a banana. This changed the character of the game for the chimpansees. Paintings became just a means for

      • by slim ( 1652 )

        I think what you're saying is, it's not a direct analogy.

        "Here's an example of an incentive scheme that has an unexpected and undesirable outcome".

        "Bug bounties can also have unexpected outcomes" -- but with a quite different mechanism.

        I don't think Dubner would have done that. Freakonomics (the book) contains loads of examples of unexpected outcomes due to skewed incentives. He could have found one that fitted better.

        No, I'm pretty sure this is just a reporter failing to convey what was actually said.

        (Favo

        • He could have come up with a better example(he could have taken your example), but it's not bad and I explained why. If you imagine a kind of tree structure(or a directional web) with edges indicating a relationship "is kind of a .. story", then the rat farming story is a story where incentives act counterproductively because they shift the motivation away from the original intent .
          This is a good node, the analogy is good.

          There is also a more detailed node "incentives leading to a situation where people act

        • Actually, there is a variable in the stories which is the amount of cheating. I think I'd prefer a story with a minimal sense of cheating.

  • 1. It talks a lot about the illegal rat farm business.

    2. It just says it is similar to the bug hunting business - with NO explanation. No real discussion of the bug hunting business, no explanation why they are similar. It just assumes you will believe they are similar, with no reason. I don't see any connection.

    3. It concludes with "and that's a good thing" with no explanation of why it is a good thing. Bull.

    If I saw this in a blog, I would call it a bad blog. As an article, it is at best half of

    • Correction. The author did not have a good idea. He was reporting on a speech given by someone else (author of Freakonomics.).

      The author basically gave a review of that speech, and left out all the important stuff, just because he was obsessed with the stupid rat farming example.

      I will have to go looking for the real speech, it might actually be interesting

  • WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus

    Ditto

  • I think the point he's getting at is that a lot of the bugs are not the ones that would trouble users (i.e. they only appear "in the lab"). So although it's still good to fix them, they are low priority.

    The farming analogy is bad because it implies people are creating these bugs just to turn them in, which as everyone is pointing out, doesn't make sense and would reflect poorly on the buggy developer, so it would be self-limiting. Instead, I propose he should have said "imported" rats instead of "farmed"

    • by ejtttje ( 673126 )
      Aha, found it:
      What does $1265 of bugs look like [daemonology.net]
      Looks like this wasn't a slashdot article, maybe it should be :)
    • by slim ( 1652 )

      As I've already said, Dubner's a clever bloke. If he was trying to make the point you've made, then he'd have found a suitable analogy. He has at least two bookfuls.

      No, this is a reporter getting the wrong end of the stick.

      But let's think about your observations.

      The rat farming thing is fairly interesting. You can imagine the rat bounty seeming like a good idea. People subverting it by farming rats would come as a surprise to a lot of people. Freakonomics is full of stories like that.

      Your observation, that

      • by ejtttje ( 673126 )

        Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?

        Well, I could make some argument about whether it's generally worthwhile even for a few significant bugs... if they are significant, it's likely they would be found and reported in short order regardless of a bounty. And especially if there's a backlog of bugs, I'd say those should take priority over finding new bugs that haven't actually bothered anyone yet.

        The security aspect is different though, because those are bugs that have a motivation to go unreported. And there's the 'papercut' type, where small

  • How exactly do researches 'plant' bugs into code released by another party?

    Researcher: "Look look! We found a bug!"

    Company: "Why yes you did! Wait... this isn't even our code! GTFO and stop wasting our time."

    • by slim ( 1652 )

      Business model!

      1. Note missing feature in Firefox
      2. Write missing functionality; include carefully obfuscated security bug
      3. Donate code to Mozilla
      4. "Find" and fix bug. Claim bounty.
      5. Collapse, cackling, into your bed of dollar bills.

      • by lennier ( 44736 )

        Business model!

        1. Note missing feature in Firefox
        2. Write missing functionality; include carefully obfuscated security bug

        And that explains the new Firefox 5-week release cycle.

  • ... when a company happens to track who is the person responsible for a bug.

    If there's no accountability, then a coder could generate bugs for a confederate on the outside to cash in on. Mind you, you'd need to make sure:

    • that the bugs weren't so easily found that the wrong person discovers them,
    • that the "bug bounty" was high enough to justify this kind of skullduggery,
    • and that there was nothing to track the bug back to the original developer, who would most likely become unemployed if enough bugs were laid
  • One of the commenters from TFA finally explained it, the problem is it's still a very bad analogy. Farmed rats !=manufactured bugs. The actual analogy is wild rats == significant bugs and farmed rats == insignificant bugs. He's not saying the "bug farmers" are manufacturing the bugs, just that they're finding new and creative ways to break the software that would in all likelihood never occur outside of a lab setting.

    So, like I said, a very bad analogy.
    • That actually makes sense, in other words they are finding bugs, like say if a glitch happened where if you type the letters todadadklard into a search box, hold shift and backspace while having someone else click the submit button, the program exits. While technically a bug, it would be one that would never bother anyone or effected the end user, hypothetically though it could lead to an exploit that could do greater harm as a zero day vulnerability with the right method of hacker, hence why it is good to
  • The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances.

    So it's actually nothing like rat farming.

  • The (current) last two paragraphs of the article were added after many of the /. comments were posted.

    Previous final sentences:

    But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

    Added paragraphs:

    The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could.

    The idea of people raising rats for the express purpose of killing them likely isn't what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors' bug bounty programs. As they've continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.

    Seems like an attempt to rescue the article from terminal idiocy. But it's just digging a deeper hole.

    It's just like rat farming! Except that nobody's manufacturing defects deliberately.
    Rat farming had unintended consequences! Bug bounties have exactly the consequences that their designers were aiming for: lots of people detecting bugs.

  • Okay, so in South Africa, bounties for dead rats had the unintended consequence of creating rat farmers which is 180 degrees counter to what the creators of the bounty wanted. It's a classic case of perverse incentives. On the other hand, the software bug bounties are resulting in more software bugs being found and fixed. Exactly what the creators of the software bug bounties wanted. And, no one, not even the bad-analogy-maker, is suggesting that the security researchers are introducing software bugs only t

    • by slim ( 1652 )

      I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.

      Freakonomics is fine. This seems like a chinese whispers in the retelling.

  • Nothing new to this.

    Twenty years ago, I worked at a company (whose name you have all heard but I'd best not mention) which, among other things, produced development tools. A major release was coming up, and the word went out: company-wide cash bounty on bugs. The more severe, the bigger the bounty.

    BUT... neither Development nor QA on the product team in question were entitled to participate.

    An underground economy of bugs immediately arose. QA people would find bugs and tell their tech support buddies.

  • Another blog post, another site: http://www.leadershipblog.co.za/2010/08/11/stephen-dubner/ [leadershipblog.co.za]

    It quotes Dubner directly. Dubner says nothing about bug bounties in relation to rat farming.

    He talks about the rat farming anecdote, then talks about unintended consequences in general, in the realm of government, not software development.

    His main observation seems to be that politicians have no incentive to create schemes that are immune to unintended consequences, because the unintended consequences are usually lon

Keep up the good work! But please don't ask me to help.

Working...