Tuesday, July 5, 2016

Strategic Recommendations and Bug Bounties


I have so many feelings about bug bounties. First of all, bug bounties turn your penetration testing program into a hilarious cross between sales and marketing. Hiring sales people is fun because you know they are motivated only by money, and have read your sales compensation plan, and spend more time trying to game that plan than actually selling.

And this is what you see with bug bounties - companies spending hours manipulating their plans to try to get their team to perform for them. If you run a bug bounty, and you get no bugs, does that mean your site is secure, or that your incentive plan is bad? Hard to say.

But aside from that hilarity, there was an important point hidden within the Uber page on HackerOne: They are not getting what they would get from a relationship with a security services vendor.

Look,  when you go to the dentist, you get two things:

  1. Cleaner teeth, possibly with fillings and other repair work done
  2. Strategic advice ("please stop chewing ice all day")
Look at the statement I screenshotted above and read it slowly, in a funny British accent. What is the strategic advice you would give out to someone who keeps having to remove lots of various plugins from their WordPress installs, but is security sensitive? Would it be "Please don't install WordPress all day?"