It has been reported this week that Facebook has recently paid out £25,000 to individuals who have identified and reported to them, through an authorised process, security holes in the software and systems which are Facebook.

This practice of developing software and systems, putting them out into the public domain for use by the public, and then rewarding those who identify vulnerabilities with cash has it’s good and not so good points. These are some observations:

• Could the system of rewarding external third parties who identify vulnerabilities remove the internal pressure to develop and implement secure software and systems?
• A vulnerability reward scheme could be seen as outsourcing much of the QA/testing process without having to pay for it. Think of it as performance related pay. You look for the vulnerabilities and you’ll be paid if you find any. An effective spreading of the financial risk?!
• What would be classified as a “vulnerability” upon which a finders fee would be paid?
• How would you get around the obvious legal ramifications of testing someone systems and system security without permission?
• How do you differentiate between those testing your software/system security as a result of your vulnerability reward scheme and those looking to exploit your systems for malicious means?

On a final point are such schemes effectively paying twice for software and system development i.e you pay once to develop the software / system just to have to pay a second time when someone identified a vulnerability? Or is this a cost effective way to address the law of diminishing returns when investing in secure software and system development i.e At some point the cost of identifying vulnerabilities in software and systems exceeds the benefit?

Got any thoughts that you’d like to share on the topic of vulnerability reporting schemes? Please do share. Bruce.