Barracuda Networks is an internet security company that offers industry leading protection for hundreds of thousands of internet users a day. They offer spam and virus protection, firewalls and web filters. They recently began a program that offers bounty’s to users who can find harmful bugs and vulnerabilities in their products. The price of the bounty ranges from $500 to $3,000, depending on the severity of the issue, for anyone who can find an issue with their system. Barracuda is the first internet security provider to offer a bounty for an issue related with their own software. Other groups and companies have offered bounties on other company’s software but not for their own.
The actual cause of these bounty offerings is that Barracuda wants to enable its users to search for problems within their own software. This gives the information technology professionals at Barracuda another viewpoint, other than their own when researching their own technology. Another cause of this issue is that a lot of bugs may have been reported with the Barracuda security and they can be fixed in a more timely manner by offering bounties to fix them. A typical user who comes across a bug will probably just avoid just the software all together or they will find a way around the bug and not report it to the manufacturer. I know when I come across an issue in my browser or security system and it asks me to report it I always decline because it takes too long. However, if the users know that they will be paid money for reporting the bug to Barracuda then they are much more likely to report it to them.
The best scenario would be for a network security company to offer a security package that does not have any bugs in it. Obviously that is usually not ever the case because people come up with new ways to create viruses and problems with a network system almost daily. The security company cannot always respond very quickly because they don’t really know until someone reports it. Thus, offering users a reward for reporting the bug is a great idea.
Wednesday, November 10, 2010
Subscribe to:
Post Comments (Atom)
Posts
I agree with you, Casey, that this security vulnerabilities rewards program is a good idea in theory. I think it will help identify issues more effectively and motivate the Barracuda programmers to develop better programs. Critics of the bounty scheme have a strong argument, however. They claim that now there is the danger of developers researching a certain product and offering the exploit to the highest bidder. This means that the security vulnerability exploit can fall into the hands of black hat hackers, and Barracuda's plan will backfire probably at a much higher cost. The particular article I was reading says that this trend of offering rewards to users finding holes in their own networks is not in the long-term interest of the industry. It will be interesting to see how the Barracuda program turns out and whether other companies will follow suit.
ReplyDeleteBarracuda Networks' idea to provide monetary rewards for finding bugs within their software is a great idea that I am surprised has not been introduced by other companies. Aforementioned in the above posts, this is a great way for the company to turn every user into a potential tester and get a different perspective. I think that it is no coincidence that a company with such policies is included in conversations about top of the line antivirus/firewall software.
ReplyDeleteThis policy also continuously pushed Barracuda Networks to have quality up-to-date products so that they do not have to pay a lor of users money for bugs. Also encouraging users to find bugs is a bold statement of confidence in their product, therefore they are putting pressure on themselves to put out a high-quality product.
Overall, this seems to be a successful security company backed up by a good company strategy. However, it is important for Barracuda Networks to be wary of black hackers still, just like any security company, and to not get complacent in their success.
I agree with the posts above that paying users to find bugs is a good idea, but I also wonder if this could have some negative consequences in the long run. The article that I posted below says that some of these rewards have gone all the way up to $100,000, which is shocking to me. If a hacker has found a bug in a company's computer system I can't see what would stop them from being able to charge an outrageous amount of money for it, since a company who is desperate would be willing to do anything to prevent a disastrous security breach.
ReplyDeleteOn the other hand, the amount of money that would have to be paid to a hacker for finding a bug may be much less than a security breach would cost anyway, and, as PK said, the possibility that they might have to pay a hacker who finds bugs may motivate companies to make their products more secure. It will be interesting to see how this strategy plays out in the long run for companies.
http://www.infoworld.com/d/security-central/should-we-pay-hackers-find-bugs-876?page=0,1