How Bug Bounties Are Like Rat Farming

SAN FRANCISCO--It's become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the "I don't know security, so let me tell you how it doesn't relate to my field" speech. Stephen Dubner fixed that.

The co-author of the ridiculously popular Freakonomics books, Dubner is a former New York Times writer and would seem an incongruous choice to kick off the talks at a security conference. But it turns out that he knows more about security than one would think. Maybe even more than he might think. His books are filled with stories meant to show the uninitiated how deeply economics and its offshoots affect our daily lives.

Much the same could be said of security and its numerous sub-disciplines. As recently as three or four years ago, many normal Internt users probably didn't give much thought, if any, to the security of their PCs. If they did think about it, they likely thought in terms of annoying viruses and worms, or maybe identity theft. But the events of the last few years have shown that no one can afford to ignore the reality of the security situation.

In his keynote speech at the United Security Summit here, Dubner said that he had great respect for the job that security professionals do, fighting the good fight against attackers and the occasional nation-state. But his most insightful comments had to do with rat farming.

What is rat farming, you ask. It turns out it's essentially a slightly more disgusting version of bug hunting. Dubner said that he was in Johannesburg, South Africa, recently, and the city was having a serious problem with rats. Officials had tried a number of remedies with no real success, and so they eventually hit upon the idea of offering a small monetary reward for every dead rat turned in. The program was a huge hit, and dead rats started flowing in.

But the idea actually created an entirely new industry: rat farming. Once people discovered that there was money to be made by turning in dead rats, they started breeding the vermin strictly for the purpose of killing them and collecting the cash. Effective, but gross.

But it has a clear analog in the bug-bounty programs that software companies such as Mozilla, Google, Barracuda and others have established in recent years. Those programs offer researchers various cash rewards for reporting vulnerabilities to the companies, and they've been quite successful in drawing submissions from a wide range of people.

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

nb : threatpost