The bug bounty program follows hard on the heels of a similar scheme from Google and, Infosecurity notes, Mozilla recently handed a large pay check to a 12-year-old programmer who found a serious flaw in Firefox.
Barracuda's scheme starts at $500 and ranges up to $3,133.70 – the figures of the higher amount being a reference to the numeric equivalent of leete (31337) or leet, which the firm says is IT cracker slang for top programmers.
But, says Anthony Haywood, CTO of vulnerability and testing security specialist Idappcom, the bug bounty from Barracuda is the latest stage in a worrying new trend.
Even though Barracuda is billing its rewards scheme as in the best interests of customers, there is, he argues, a significant danger that it will attract developers into researching the vendor's products and then offering them to the highest bidder.
"And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers – as well as cybercriminals – now inhabit", he said.
Haywood argues that, while ever the likes of Google and Mozilla offer large sums of money for bugs in their software, you are going to get other vendors following suit.
But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector, he says.
The Idappcom CTO went on to say that the bug bounty schemes offered by a growing number of IT players has parallels in the 'litigate for free' industry that has sprung up in the legal industry over the last decade or so.
The law firms, he says, argue that their litigate-for-free service is really in the best interests of the consumer, but the problem is that, while a whole new industry has been created, that has ended up pushing insurance premiums up for most businesses.
Someone, somewhere, has to pay for these types of services, and, Haywood observes, the same conclusions apply to the bug bounty programs offered by IT vendors.
The irony of the situation, he explained, is that, as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up paying indirectly as the tide of malware and other electronic mayhem rises as a result.
"This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that's why we say that they are not in the real interests of our industry", he said.
"In the short term they make a good story – and perhaps even a good event like CanSecWest's Pwn2Own cracking contest in North America – but the bottom line is that it's not in our industry's best interests to offer such large sums of money. For that reason we give a definite thumbs down to such practices," he added.