Sign In

Communications of the ACM

ACM TechNews

Bug Bounty Programs Beat Internal Researchers

View as: Print Mobile App Share:
A bug bounty wanted poster.

Paying external parties to discover bugs in software is worth it, according to newly released research.


A new study from researchers at the University of California, Berkeley suggests that paying external parties to discover bugs is worth it.

The review of bug bounties paid by Google and Mozilla over three years to fix bugs in the Chrome and Firefox browsers found that the external programs were between two and 100 times more cost effective than hiring full-time employees. The average daily cost of rewards was $485 for Chrome and $658 for Mozilla.

Bug-bounty programs are comparable to the cost of a single member of a browser security team, and crowd-sourced programs that pay cash often outmatch the bug-spotting power of full-time employees.

Still, the researchers do not call for getting rid of internal bug hunters. Instead, they say organizations should hire their best external bug reporters as internal security researchers, and pay them to find as many bugs as possible.

The study also encourages organizations that develop software to consider running a bug-bounty program to help find bugs in code and spot them earlier in the development lifecycle.

From InformationWeek
View Full Article

Abstracts Copyright © 2013 Information Inc., Bethesda, Maryland, USA


No entries found