"Bug bounty schemes have since proliferated and have now become the norm for software companies, with some, such as Apple, offering awards of $2m or more to those who find critical security vulnerabilities. Moussouris likens security vulnerability research to working for Uber, only with lower pay and less job security. The catch is that people only get paid if they are the first to find and report a vulnerability. Those who put in the work but get results second or third get nothing."
""Intrinsically, it is exploitative of the labour market. You are asking them to do speculative labour, and you are getting something quite valuable out of them," she says. Some white hat hackers, motivated by helping people fix security problems, have managed to make a living by specialising in finding medium-risk vulnerabilities that may not pay as well as the high-risk bugs, but are easier to find."
Governments should make software companies legally liable for insecure code. Bug bounty schemes have proliferated and become the norm for software companies, with some, such as Apple, offering awards of $2m or more for critical vulnerabilities. Bug bounties operate as winner-take-all pay where only the first finder is rewarded, creating speculative labor that often leaves many researchers unpaid. Some researchers earn income by finding medium-risk vulnerabilities, but most struggle to make a living. Security researchers face legal risks from anti-hacking laws such as the UK's Computer Misuse Act and the US Computer Fraud and Abuse Act. Microsoft adopted a non-prosecution policy for responsibly reported vulnerabilities.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]