Bug Bounties Are Not Security


Paying people rewards for finding security flaws is not the same as hiring your own analysts and testers. It's a reasonable addition to a software security program, but no substitute.

I've said this before, but Moshe Yudkowsky said it better:

Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster? Schneier on Security: Bug Bounties Are Not Security

Linked by shanmuga Wednesday, 28th December 2005 12:02AM