Reply to post: Re: Massively in favour of this idea

Like my new wheels? All I did was squash a bug, and they gave me $72k

jmch Silver badge
Thumb Up

Re: Massively in favour of this idea

It's essentially outsourcing the security testing to an external contractor, with the difference that you don't have to go to the trouble to engage anyone, mess about with contracts etc. From the point of view of software companies, even offering massive bounties is probably still much more cost-effective than to hire someone directly. The largest bounty was $75k, which might have taken months of research by a highly skilled hacker (ahem, security researcher). Hiring such a person directly would take a salary (if they even would agree to be employed, they might not like the idea anyway) at least double that at a cost to the company of close to a quarter-million a year. For a large, or even medium-sized, vendor, keeping a bounty pot of say half a million a year is peanuts.

Also keep in mind that anyone whether employee or contractor can to a greater or lesser extent be sucked in to office politics that can affect how and what they are reporting. It's probably better practice to have the bug-hunting done by total outsiders with no connection to the company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon