Paying for security exploits

May 27, 2007

Somewhere out on the Internet, there is probably someone waxing indignant right now about how companies generally now have to pay relatively substantial bounties for security exploits in their products. After all, why do the security researchers now demand payment for their research work?

I thin that there are two reasons: the obvious reason and the deeper reason.

The obvious reason is that companies are competing for new security exploits with the criminal groups exploiting security vulnerabilities to do various bad things. Said groups pay well for new vulnerabilities, because there is good money in exploiting them to plant various things on people's computers.

(I don't know if the companies pay as much as the underground markets, but they have a competitive advantage in the moral sphere.)

The deeper reason is simple: if you want work done, you need to pay for it. Companies have been unable to come up with non-lame rewards for reporting security vulnerabilities apart from actual cash. Since various companies want the work done, and especially since finding a new security vulnerability these days can be a reasonably large amount of work, those companies have been reduced to paying for new vulnerabilities with cash. In fact, probably as much cash as they would generally pay if they wanted to hire a skilled consultant to do a security audit of their program, which is really what they're doing (except they cleverly don't pay out unless there actually is a problem).

I think that this is the better answer to the whole question, because it does not cast the people taking advantage of the bounties as people who would otherwise sell their discoveries to the underground gangs. Instead it casts them as people who would, without the bounties, simply spend their time doing entirely different and more rewarding things. Which should surprise no one; why do work for a company for more or less free?

(Why the companies have been unable to come up with good non-cash rewards is an interesting question. I suspect that a good part of it is that companies have tried to be cheap, and people do catch on to that sort of thing after the novelty wears off.)

Written on 27 May 2007.
« Weekly spam summary on May 26th, 2007
Why ZFS's data integrity is less important than Solaris's usability »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 27 21:12:45 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.