Bounty programs can buy goodwill with bug hunters with very little downside, said Todd Feinman, founder, president and CEO of Identity Finder. "Bounty programs keep honest people honest," Feinman said. "That's important because if people can see that by doing the right thing, they can make some money, they're less inclined to be unethical."
Although bounty programs have the potential to bite the hand that feeds them, that hasn't been the case, he added. "They have not resulted, that I'm aware, in people finding vulnerabilities and selling them on the black market instead of to the companies," he said.
Over the last 10 years, the bug reporting landscape has changed significantly, Sutton said Ten years ago, no software vendor had a bug bounty program; now it's common.
"Yes, there are more vulnerabilities being bought and sold for offensive purposes, but I don't think that's indicative of a shift to the 'dark side,'" Sutton said. "I think it's indicative of more overall activity."
Sign up for CIO Asia eNewsletters.