How Bug Bounties Are Like Rat Farming

UPDATED SAN FRANCISCO–It’s become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the “I don’t know security, so let me tell you how it doesn’t relate to my field” speech. Stephen Dubner fixed that.

BugsUPDATED SAN FRANCISCO–It’s become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the “I don’t know security, so let me tell you how it doesn’t relate to my field” speech. Stephen Dubner fixed that.

The co-author of the ridiculously popular Freakonomics books, Dubner is a former New York Times writer and would seem an incongruous choice to kick off the talks at a security conference. But it turns out that he knows more about security than one would think. Maybe even more than he might think. His books are filled with stories meant to show the uninitiated how deeply economics and its offshoots affect our daily lives.

Much the same could be said of security and its numerous sub-disciplines. As recently as three or four years ago, many normal Internet users probably didn’t give much thought, if any, to the security of their PCs. If they did think about it, they likely thought in terms of annoying viruses and worms, or maybe identity theft. But the events of the last few years have shown that no one can afford to ignore the reality of the security situation.

In his keynote speech at the United Security Summit here, Dubner said that he had great respect for the job that security professionals do, fighting the good fight against attackers and the occasional nation-state. But his most insightful comments had to do with rat farming.

What is rat farming, you ask. It turns out it’s essentially a slightly more disgusting version of bug hunting. Dubner said that he was in Johannesburg, South Africa, recently, and the city was having a serious problem with rats. Officials had tried a number of remedies with no real success, and so they eventually hit upon the idea of offering a small monetary reward for every dead rat turned in. The program was a huge hit, and dead rats started flowing in.

But the idea actually created an entirely new industry: rat farming. Once people discovered that there was money to be made by turning in dead rats, they started breeding the vermin strictly for the purpose of killing them and collecting the cash. Effective, but gross.

But it has a clear analog in the bug-bounty programs that software companies such as Mozilla, Google, Barracuda and others have established in recent years. The results have been quite different, however.

The vendor reward programs offer researchers various cash rewards for reporting vulnerabilities to the companies, and they’ve been quite successful in drawing submissions from a wide range of people. But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that’s a good thing.

The researchers aren’t introducing the bugs into the software, of course; they’re simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors’ internal teams finds far more flaws than just the internal teams could.

The idea of people raising rats for the express purpose of killing them likely isn’t what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors’ bug bounty programs. As they’ve continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.

Updated to include more context about bug bounty programs.

Suggested articles