Skip to main content
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

Find a Lawyer

More Options

Brilliant: Tech Giants Start Security Bug Bounty Programs

By William Peacock, Esq. on November 11, 2013 | Last updated on March 21, 2019

Quick analogy: Windows is to your computer like Open SSL, Open SSH, Bind, and other open-source packages are to the Internet as a whole.

Your computer runs on Windows, while web apps, servers, e-commerce sites, and pretty much the entire Internet, runs on these collections of open-source code. But while Microsoft, as the owner and vendor of Windows, is responsible for patching up security bugs in the consumer operating system, who is responsible for finding and fixing security bugs in these widely-used, free, open-source packages?

Open Source: By Everyone, For Everyone

The beauty of open-source code is that anyone can use it, anyone can modify it, and anyone can benefit from it. But with no central vendor behind it, what company is going to be willing to dump their own resources into finding and patching security bugs, especially when there are so many other companies that are motivated to do it?

It's classic diffusion of responsibility: leave it to somebody else. And while altruistic motives of making the Internet a better place may suffice for the beginning stages of a project, companies, eventually, have to report to shareholders, and internal software gets the nod over open-source coding.

The Bug Bounty Program

To ensure that everyone is chipping in, and to stave off diffusion of responsibility issues, Microsoft and Facebook sponsored a bounty program, and they are joined by researchers at Google, security firm iSec Partners, and craft e-commerce website Etsy, reports Ars Technica.

The bounty program, will, in some instances, pay more than $5,000 per vulnerability. The bugs must affect software that is used by multiple companies, must have potentially severe consequences for the general public, and must affect a wide variety of users.

Researchers will then conduct triage, coordinating disclosures to affected companies and planning repairs.

The program isn't the first of its kind -- Google, last month, offered bounties for open-source bugs, and a number of companies reward individuals who find vulnerabilities in their own software. This program, however, bands together multiple companies, to address the Internet as a whole.

And while this may not directly help your mom-and-pop shop, or your solo attorney in Yolo county, security enhancements to the common code of the Internet means less chance of a website hack, or a cilent data leak.

Have an opinion? Tweet us @FindLawLP.

Related Resources:

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:
Copied to clipboard