https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors
By Jeremy Kirk
IDG News Service
July 9, 2013
Paying rewards to independent security researchers for finding software
problems is a vastly better investment than hiring employees to do the
same work, according to researchers from the University of California
Berkeley.
Their study looked at vulnerability reward programs (VRPs) run by Google
and Mozilla for the Chrome and Firefox web browsers.
Over the last three years, Google has paid US$580,000 in rewards, and
Mozilla has paid $570,000. In the course of those programs, hundreds of
vulnerabilities have been fixed in the widely used products.
The programs are very cost effective. Since a North American developer's
salary will cost a company about $100,000 with a 50 percent overhead, "we
see that the cost of either of these VRPs is comparable to the cost of
just one member of the browser security team," the researchers wrote.
[...]
--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
