Bounty programs are good - I said it !

My earlier post on bounty programs is referenced http://infosecgallery.blogspot.in/2013/03/about-bounties-government-ethics-and.html


There was a lot of discussion on bounty payment by an Indian government department but lets keep that aside. 

There are a few Indian companies to whom well meaning and ethical hackers have reported vulnerabilities. These companies have not taken action (usually) and if they have made changes based on the disclosure, they have not had the courtesy to write back to thank the person who saved them from potential disaster and also did them a favor by providing free VA !!

But these miserly Indian CISOs /  CEOs / CFOs are short sighted and typically uncaring about anything or anyone that does not have a foreign flag stamped on their ass.... hah !

I have always said it is good for the company to whom vulnerabilities were responsibly disclosed. Consider this 
- the company gets free of cost VA services which would have otherwise cost nothing less than 50k to 100k Rupees.  
- they get to know someone skilled who can be hired to provide contract services for a low fee when required
- by paying a bounty they reachout and form a bond with the ethical hacker
- this guy talks about the warmth at the company and the company gains goodwill of the entire ethical hacking community and they will always look out for you.

Now comes this report
http://threatpost.com/researchers-find-bug-bounty-programs-pay-economic-rewards/101243

it shows the savings made by companies like Google, Paypal with their bounty programs. Consider this - even Microsoft has kept a big amount aside for their bug bounty program!

Unfortunately our Indian corporates continue to spend big money on VAPT services when they could well have skilled persons on thier goodwill list and get 100k worth of work with just 10k bounty.



Labels: , ,