Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Study: Bug bounty programs provide strong value for vendors

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 10 Jul 2013 08:43:59 +0000 (UTC)
https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors

By Jeremy Kirk
IDG News Service
July 9, 2013
Paying rewards to independent security researchers for finding software problems is a vastly better investment than hiring employees to do the same work, according to researchers from the University of California Berkeley.
Their study looked at vulnerability reward programs (VRPs) run by Google and Mozilla for the Chrome and Firefox web browsers.
Over the last three years, Google has paid US$580,000 in rewards, and Mozilla has paid $570,000. In the course of those programs, hundreds of vulnerabilities have been fixed in the widely used products.
The programs are very cost effective. Since a North American developer's salary will cost a company about $100,000 with a 50 percent overhead, "we see that the cost of either of these VRPs is comparable to the cost of just one member of the browser security team," the researchers wrote. 

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
Previous By Date Next
Previous By Thread Next

Current thread: