Information Security News mailing list archives
Study: Bug bounty programs provide strong value for vendors
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 10 Jul 2013 08:43:59 +0000 (UTC)
https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors By Jeremy Kirk IDG News Service July 9, 2013Paying rewards to independent security researchers for finding software problems is a vastly better investment than hiring employees to do the same work, according to researchers from the University of California Berkeley.
Their study looked at vulnerability reward programs (VRPs) run by Google and Mozilla for the Chrome and Firefox web browsers.
Over the last three years, Google has paid US$580,000 in rewards, and Mozilla has paid $570,000. In the course of those programs, hundreds of vulnerabilities have been fixed in the widely used products.
The programs are very cost effective. Since a North American developer's salary will cost a company about $100,000 with a 50 percent overhead, "we see that the cost of either of these VRPs is comparable to the cost of just one member of the browser security team," the researchers wrote.
[...] -- Visit the new and improved InfoSec News website http://www.infosecnews.org/
Current thread:
- Study: Bug bounty programs provide strong value for vendors InfoSec News (Jul 10)