Mutiny On The Bounty
It’s not the easiest pill to swallow, and more importantly, imagine trying to convince the management team to not only implement an external security review program, but to provide incentives for the resulting discoveries — that’s right, we’re going to pay others for our mistakes. Yikes! Let’s face it, there will be bugs in software, despite development process, review and QA. Items will get missed, and unintended feature or behavior will creep into the code base. The systems have become complex. The interactions are not always planned or even manageable with 3rd parties. Likely, only non-developers won’t acquiesce to that simple truth. It’s an understandable sentiment by the business stakeholders, as their focus isn’t on design or implementation of complex application logic. However, there should be one common ground within any organization, and that is the need to be diligent stewards of their customers, and by extension, their customers’ information. Security is the bedrock of excellent customer service.
People tend to be entrenched on the subject of bug bounties — and conversely, bug bounty programs. Companies on the opposing side of this idea, which include some of the biggest names in the industry — Adobe, Microsoft, and Apple – they do not believe in rewarding others for vulnerability discoveries, at least not in monetary terms. Meanwhile, they are the same companies that routinely struggle with reactive security patches and frequent egg on their face, when defects leading to mass breaches comes to light. Proponents of this “radical” idea of bug bounty include Mozilla, Facebook and Google, who’ve been able to reap the benefits of crowdsourcing bug researches, and both publicly and monetarily acknowledge that effort. To that list, we must now include PayPal, who’ve announced an update to their bug reporting system to include a paid bug bounty program. This is a huge step, when a financial company is ready to embrace such programs. It’s not some leap of faith, “data has shown it to be an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.”
Just as award winning directors need a separate set of eyes to aid in editing to preserve and enhance the integrity of a film; software companies need the scrutiny of outsiders, especially when the Internet is on the other side of the threshold. PayPal’s steps down this path should be lauded and others should take notice… if a company whose core business is financial transactions, and the corresponding challenge in preventing the misuse of their systems, have endorsed that bug bounty is the appropriate approach… what’s holding your company back from adopting a similar program? In that debate, the gallery of witnesses now includes more than just grass root supporters of open source projects, it includes real companies needing a solution to some very real problems. Time to discuss the same need within your organization.