Study finds bug bounties an economic incentive

By on
Study finds bug bounties an economic incentive

Security bug bounties are a worth the cost according to new research.

A study by University of California, Berkeley researchers Matthew Finifter, Devdatta Akhawe and David Wagner focused on software, specifically Google Chrome and Mozilla Firefox.

Website VRPs, which Google also offers, are a newer and expanding market in the bug bounty industry.

The study found that the Chrome's rewards program has doled out roughly $580,000 since it was kicked off more than three years ago, resulting in 501 separate rewards. The Firefox program has paid out about $570,000 over the past three years, which covers 190 bounties. In 2004, Mozilla became the first tech company to institute such a program.

All told, about a quarter of all the vulnerabilities that were publicly disclosed in security advisories from these two companies were discovered the bounty programs. This led the study's authors to assert that the programs have been a success – and they could serve as a viable alternative to contracting with professionals or hiring full-time staff to find vulnerabilities.

"Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers," they wrote.

Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told that even though his company specializes in website vulnerability detection, he supports rewards programs.

"It is a great way to crowdsource vulnerability assessment,” he said.

But he said downsides include the cost to manage the programs, explaining one workaround is to partner up with third-party bounty programs, such as TippingPoint's Zero Day Initiative (ZDI) or Bugcrowd.

That may explain why some companies are resistant to paying researchers, such as Adobe and Apple, which have found other ways to thank researchers, including points systems. Microsoft was also a longtime holdout, but last month announced a limited bug bounty program. Other companies that have adopted monetary reward programs include PayPal, AT&T, Samsung, Facebook, Etsy, Cryptocat, LaunchKey and Barracuda Labs.

In addition, there's always the concern that the programs will lose out to higher bidders, including on the black market.

According to the study, just three Chrome contributors – out of 82 – reported earning more than $80,000 over the past three years studied, and only five more reported earning more than $20,000. Out of 70 Firefox contributors, only one reported making more than $141,000 across three years, while five others reported earning more than $20,000.

And researchers such as Dino Dai Zovi, who famously helped launch the "No More Free Bugs" campaign in 2009, said companies should first focus on building resilient products before they go to market.

"For most products, security reviews by pros should happen before product is shipped and bug bounties after," he tweeted.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?