Last week a self-taught hacker from Argentina became the world’s first hacker to make $1 million from bug bounties. Relying on bug bounties is not sustainable for businesses and there needs to be an industry standard through which vulnerabilities can be shared and discussed without fear of reprisal.
Paul Farrington, EMEA CTO at Veracode, emphasises in his comments below that organisations need to start providing methods for those looking to responsibly disclose vulnerabilities easily as large pay-offs for individuals is only a quick-fix solution. They are not a sustainable solution to finding and disclosing every flaw.
“It’s true that it is more effective and less expensive for tech companies to build in and maintain security for the products and services they develop early. To do this requires a shift in thinking about security as a competitive advantage, rather than a burden that slows down applications. Part of this philosophical change must also include how we think about our approach to revealing vulnerabilities. Bug bounties have been mostly successful undertakings, with some hackers making good money as some reports suggest, but they aren’t the solution to finding and disclosing every flaw.
Relying on bug bounties is not sustainable for businesses. Collaborative disclosure, also known as responsible disclosure, should be the industry standard whereby vulnerabilities can be shared and discussed without fear of reprisal. This will lead not only to more secure software but greater information sharing, which builds a more cohesive community of developers, security teams and security researchers working together toward a common goal – making the software that powers our world more secure.”