Skip to main content

Are you a legal professional? Visit our professional site

Search for legal issues
For help near (city, ZIP code or county)
Please enter a legal issue and/or a location

Brilliant: Tech Giants Start Security Bug Bounty Programs

Article Placeholder Image
By William Peacock, Esq. on November 11, 2013 2:53 PM

Quick analogy: Windows is to your computer like Open SSL, Open SSH, Bind, and other open-source packages are to the Internet as a whole.

Your computer runs on Windows, while web apps, servers, e-commerce sites, and pretty much the entire Internet, runs on these collections of open-source code. But while Microsoft, as the owner and vendor of Windows, is responsible for patching up security bugs in the consumer operating system, who is responsible for finding and fixing security bugs in these widely-used, free, open-source packages?

Open Source: By Everyone, For Everyone

The beauty of open-source code is that anyone can use it, anyone can modify it, and anyone can benefit from it. But with no central vendor behind it, what company is going to be willing to dump their own resources into finding and patching security bugs, especially when there are so many other companies that are motivated to do it?

It's classic diffusion of responsibility: leave it to somebody else. And while altruistic motives of making the Internet a better place may suffice for the beginning stages of a project, companies, eventually, have to report to shareholders, and internal software gets the nod over open-source coding.

The Bug Bounty Program

To ensure that everyone is chipping in, and to stave off diffusion of responsibility issues, Microsoft and Facebook sponsored a bounty program, and they are joined by researchers at Google, security firm iSec Partners, and craft e-commerce website Etsy, reports Ars Technica.

The bounty program, will, in some instances, pay more than $5,000 per vulnerability. The bugs must affect software that is used by multiple companies, must have potentially severe consequences for the general public, and must affect a wide variety of users.

Researchers will then conduct triage, coordinating disclosures to affected companies and planning repairs.

The program isn't the first of its kind -- Google, last month, offered bounties for open-source bugs, and a number of companies reward individuals who find vulnerabilities in their own software. This program, however, bands together multiple companies, to address the Internet as a whole.

And while this may not directly help your mom-and-pop shop, or your solo attorney in Yolo county, security enhancements to the common code of the Internet means less chance of a website hack, or a cilent data leak.

Have an opinion? Tweet us @FindLawLP.

Related Resources:

Find a Lawyer

More Options