Researchers: Bug Bounties Don't Work

Tuesday Apr 21st 2015 by Developer.com Staff
Share:

Paying for security vulnerabilities only finds the easy-to-spot bugs.

New research conducted by the Massachusetts Institute of Technology (MIT), Harvard University, Facebook and Hacker One finds that offering a bug bounty isn't the most effective way to increase the security of software. According to the researchers, offering money in exchange for information about vulnerabilities only helps to eliminate the "low-hanging fruit," the bugs that were easy to find.

Instead, the report says that developers should pay researchers to develop tools that can spot bugs, which is a more cost effective strategy for improving security in the long run. The report added that it is particularly difficult to counteract the efforts of organizations like national intelligence agencies that have a lot of funding and interest in finding vulnerabilities.

View article

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved