Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Why bug bounties aren't a cure for broken software

Roger A. Grimes | June 26, 2013
Microsoft joins other vendors in rewarding those who privately report software vulnerabilities — but that may not reduce customer risk.

Even customers of a company with a good bug bounty program may suffer at the hands of one new bug that was not submitted through the program — or one that customers failed to patch in a timely manner. One bug can cause a whole lot of problems. A vendor can report that it closed more security holes than ever and still have more of its customers hacked than ever in the same year.

Don't get me wrong. I'm fairly excited about vendor bug bounty programs, especially because they give white hat hackers a way to earn money for their talents legally. But I'm still waiting for definitive results that say they actually result in fewer exploited customers.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.