[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Study: Bug bounty programs provide strong value for vendors



https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors

By Jeremy Kirk
IDG News Service
July 9, 2013

Paying rewards to independent security researchers for finding software problems is a vastly better investment than hiring employees to do the same work, according to researchers from the University of California Berkeley.

Their study looked at vulnerability reward programs (VRPs) run by Google and Mozilla for the Chrome and Firefox web browsers.

Over the last three years, Google has paid US$580,000 in rewards, and Mozilla has paid $570,000. In the course of those programs, hundreds of vulnerabilities have been fixed in the widely used products.

The programs are very cost effective. Since a North American developer's salary will cost a company about $100,000 with a 50 percent overhead, "we see that the cost of either of these VRPs is comparable to the cost of just one member of the browser security team," the researchers wrote.

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/