Mandatory bug-bounties from major vendors

Brian Krebs proposes that software vendors should be forced to pay a bounty on all newly discovered vulnerabilities in their products at rates that exceed those paid by spy agencies and criminal gangs. He says that the bill for this would be substantially less than one percent of gross revenues, and that it would represent a massive overall savings when you factor in the cost to all the businesses and individuals who are harmed by security vulnerabilities. He doesn't explain what to do with popular, free/open software though.

Notable Replies

  1. Bug bounties can be a great source of bonus income for the developers of said apps. All they have to do is slip a subtle bug into the code here or there, then split the bounty with their buddy who discovers these subtle bugs.

  2. That would quite effectively hand a tool for competition crushing to all the existing major software companies. It would create an incentive to find a vulnerability in a competitor's software, especially a new or disruptive startup, where a bounty could kill them off (or force them to sell early).

    A nice idea, but it would empower those who already have a lot of resources, and weaken those who are new or innovative. A disincentive to innovate or take risks by creating a monetary penalty for making mistakes.

    We would be stuck with Windows 7 or 8 forever, and whatever feline OS is currently happening. Instead of an iterative and ongoing progression of improvements (and missteps, of course) we would stagnate.

    Empowers existing high cash companies, punishes innovation and rewards stagnation, this sounds like it is almost guaranteed to become law.

Continue the discussion bbs.boingboing.net

9 more replies

Participants