“Bug bounties” paid out for finding and reporting bugs and vulnerabilities are a cheap and effective way for companies to bolster their security, an independent study by UC Berkeley researchers has found.
The schemes used by Mozilla and Google to secure the Chrome and Firefox browsers are far more cost-effective than hiring security staff, the researchers conclude.
The “lottery-like” nature of some bug bounty schemes - where there is a possibility of being paid, say, $30,000, even though most payouts are far lower, works as a powerful incentive, the researchers say.
Mozilla’s “bug bounty” program relies on fixed prices, whereas Google’s relies on “tiered” rewards, which the researchers suggest may be a more effective incentive. Both programs work, however, according to the team’s analysis of company expenditure.
Programs such as Google’s Chrome vulnerability reports program are cheap to run - with median payouts for vulnerability standing at $1,156.9. Researchers do not typically earn the equivalent of a salary, the researchers write in the paper An Empirical Study of Vulnerability Rewards Programs - but the programs are highly effective, with 28% of patched vulnerabilities in Chrome security advisories coming from “bug bounties”.
“If we consider that an average North American developer on a browser security team (i.e., that of Chrome or Firefox) would cost the vendor around $500 per day (assuming a $100,000 salary with a 50% overhead), we see that the cost of either of these VRPs iscomparable to the cost of just one member of the browser security team," the researchers write. "On the other hand, thebenefitof a VRP far outweighs that of a single security researcher because each of these VRPs finds many more vulnerabilities than any one researcher is likely to be able to find.”
The Firefox and Chrome VRPs compare “favorably” to the cost of full-time researchers, the study concludes. “The Chrome VRP features low expected pay-outs accompanied by high potential payouts, a strategy that appears to be effective in engaging a broad community of vulnerability researchers.”