What's a better bug-bounty reward than money?
By @edent
· Bug Bounty money · 2 comments · 750 words
Google has recently increased the price it pays out to security researchers who responsibly disclose a vulnerability.
That got me thinking. Is money the best thing with which to reward people?0
There's an interesting (if a little silly) economics paper about why gift giving is inefficient.
The crux of the argument, as I understand it, is that gift-givers rarely know what recipients need or want. So they give gifts which aren't optimal. Your aunt gets you a blue cardigan. But you'd rather have received a yellow t-shirt. Therefore you value the gift at a lower monetary cost than what the giver spent.
If you're happy to ignore all the social niceties around giving and receiving - I'd say it's pretty accurate. Giving the gift of cash prevents newly-weds from being inundated with toasters. A gift registry can solve some of that problem, but inevitably means some gifters end up spending much more or much less than they wanted.
A happy medium is, of course, gift vouchers. As a kid, I lost count of the number of book tokens, record tokens, and cinema coupons I received.
Vouchers have the (dubious) advantage of being unable to be mis-spent. A harried single-parent can't turn a pampering spa-voucher into paying the gas bill, and a student going off to university can't convert book tokens into beer1.
Back when I was doing developer relations, we were always looking for ways to incentivise people to use our products. They generally fell into a few categories:
- Stickers and other low-value goods.
- Phones and other expensive hardware.
- Credit for our platform.
- Cash prizes.
- Money-can't-buy-experiences.
Would a rational developer go out and buy a 2GB USB stick shaped like our logo? Or a t-shirt with our slogan? No. But they're useful low value items.
Would a rational developer buy the phone we were giving away? If it was a pre-release model, it would have high monetary value and social cachet. But that doesn't pay the bills.
Would a rational developer want £500 worth of credit on our service? Unlikely! It didn't cost us much to give it away, and the developer knew we were trying to hook them into spending more.
Would a rational developer want cash? Yes! Well, unless their accountant found out and told them what the state's tithe was!
And so we come to the most interesting one. Money-can't-buy-experiences. A few years ago I won a hackathon. The prize was A guided walking tour under the Thames Barrier. This was not something anyone could pay to do. Much like a tour of Wonka's chocolate factory, it was a limited offer to see the inner workings of something magnificent.
So, what are the money-can't-buy prizes that an organisation like Google could offer?
An adult-entertainment company I worked with once offered "win a date with one of our models" as a prize. Ignoring the obvious problematic aspects of that, would you like to win a 20 minute "date" with the CEO to pitch your idea?
What is it worth to a young security researcher to win an internship?
Would you place value on sitting in the command-centre when SpaceX launches a rocket?
Do you want an exclusive profile badge / challenge coin / avatar for the service?
Sure, you could get money, but how about a ride in our top-secret prototype?
We have tickets to the sports final that we sponsor - wanna come sit in the corporate box?
Can we name a character after you in our next hit movie?
We'll increase the number of followers you have on our social network.
How about a photo-op with the President / Prime Minister / Chancellor / Pope?
To be clear, I think cash-money is probably still the best. And there are an awful lot of Bug Bounty hunters out there who make a decent living fixing other people's mistakes. And, obviously, money-can't-buy is sometimes just another way of saying "we don't have to spend a lot on this".
But I can't help thinking that big organisations could offer something a lot more valuable - and memorable - than money.
What do you think? What would you like to win?
-
Yes. As the saying goes "Money can be exchanged for goods and services" ↩︎
-
Of course, vouchers can be exchanged for cash. Usually at a much lower value than the face price. ↩︎
Ivan says:
Cash is always going to be the best, but it has its edge cases. If your service is a vendor at my company, and I discover a security bug and I fix it while working, because I have a very good incentive to do so, chances are I can't legally receive the cash bounty for it due to the anti-bribery and conflict of interest clauses in my contract, or I need to run this past Compliance first.
Then comes the question of what is the relationship of the people doing the bug bounties? Are they random open source developers? Do they work at companies that use our product? Are they full time security researchers as individuals who spend their time fixing other people's stuff as a full time gig? Do they work at one of the security research companies? If they're an employee of the security research company, do they get the cash prize, or does the company? Is that stipulated in their contract? Is that stipulated in your bug bounty agreement / terms?
If I was an out of work person who happened to find a security bug and disclosed it responsibly, apart from the cash prize, the other super valuable thing I would appreciate is a job offer. Clearly I have the skills to do the job, I have already demonstrated it, I care enough about the product / company that I went through the process of responsibly disclosing it, you already know I can abide by NDAs and stuff. The only hurdle left is the legality of employing me due to geopolitical and tax reasons.
More comments on Mastodon.