Bug bounty payments are rising, creating new value and recognition for an army of ethical hackers. That’s great, but now that we’ve acknowledged this long-undervalued community of technical experts, it’s time to turn our attention to another.
The good news for developers is that Google is paying out more bug bounties than ever, according to an announcement made by the company in late January. In 2019, it forked over $6.5m in rewards according to the post by its Vulnerability Reward Programs team. That’s double what it ever paid in a single year. Researchers donated $500,000 of that to charity, which is a five-fold increase over its next best year, it explained.
It’s a far cry from the bad old days, when all researchers got was a free t-shirt if they were lucky. Back then, the rewards hopefully came in fame and job offers from third parties, if at all. In March 2009, ethical hacker Charlie Miller launched a campaign called No More Free Bugs, explaining that he wouldn’t give up software vulnerability information for free anymore.
With third party bug bounty companies helping to formalize programs for more software and hardware companies every day, it seems like we’re now on top of the problem that Miller was complaining about. What problem can we address next?
Discovering bugs after the fact is useful, but what’s even more useful is developing software that doesn’t include them in the first place. Building security into software development is a tough challenge, because software is difficult to write. With more companies relying on open-source developers, it’s also something that the crowd could help solve.
The problem is that open-source development is underfunded today. Last year, programmer André Staltz conducted an innovative bit of data journalism, collecting data from patron-based open-source funding site OpenCollective along with GitHub. He found that over half of the 58 open-source projects he evaluated couldn’t sustain their maintainers above the poverty line, yet many of these projects are highly common on commercial websites.
The median donation per year for these projects is $217. That includes sponsorship from companies alongside individuals, he explained.
Some large technology companies contribute funding and developer hours to popular open-source projects, especially when those projects are strategically important to their direction, or when they can earn service revenues by supporting them. Still, many companies use open-source software libraries in their own products and services without the slightest nod to the people that develop them, often in their spare time.
Perhaps it’s time for more companies to pay towards the development and upkeep of this software if they can’t devote developers to the cause. That way, we could begin pushing security and software further upstream, emphasizing prevention rather than cure.
To learn more about all things information security, register your interest in attending Infosecurity Europe 2020, June 2-4.
