The Controversy Over Paying Security Experts To Find Exploits

bounty hunting in the security field

There are certain task on this earth that only a few people have the ability to do.

An NBA player, working as an astrophysicists, becoming a supermodel are only a few of the jobs that  I could name right off the top of my head.

One of these special jobs that takes an extra special set of expertise that not everyone was born with, is the ability to find security holes in software.

This is a job that takes a lot of mind-numbing work.

You have to be able to reverse engineer an executable file while, at the same time, knowing the different pieces of technology that goes into making that executable file run.

There has been a controversy over the past couple of years regarding people who do this kind of activity.

There is one side of the argument that believes that security researchers should publicly disclose the vulnerability so that everyone can fix their software issues.

bounty hunting in the security field

Bounty Hunters

The other side believes that offering a bounty for security holes will give a financial incentive for more people to disclose the bugs that they find.

There is a legitimate argument for both sides.

One the one hand if people are not publicly disclosing the exploits that they find in the software and only giving it to one vendor, then this will slowdown the ability for other security vendors to be able to fix their products.

This is not just a case of simple market economics, this is a matter of security, sometimes a very serious matter of security.

The time that it takes for a company to be able to update their product after the vulnerability has been announced could mean that more people are exposed to that particular exploit.

This is a very dangerous game and one that the average computer user could end up losing in the end.

On the other hand there is a great argument for offering bounties for security researchers to find exploits.

Money Motivation

Even though our economy is not a great example at the moment, the free market enterprise overall has proven to be a successful model.

The best and the brightest are always motivated by something and money is usually the answer.

So if you are able to motivate people to find these exploits then you have put yourself on an even playing field with the bad guys.

You might even be able to pull some people from their team.

Money has always been proven to be a great motivational factor and it always will.

This controversy will always be argued when it comes to security professionals.

There is no definitive right or wrong answer but hopefully soon we will be able to come to an agreeable compromise.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] is not the first company to ever pay hackers to look for bugs in their […]

  2. […] Hopefully, the third party is a white hacker that enjoys finding faults and vulnerabilities in software. […]

Speak Your Mind

*