Bug Bounties and the Cobra Effect
Bug Bounties and the Cobra Effect
May 27, 2021 - Summarized from Dark Reading
Dark Reading – Oleg Brodt, R&D Director of Deutsche Telekom Innovation Labs, Israel, and Chief Innovation Officer for Cyber@BGU, looks at the growing Bug Hunter ecosystem and its consequences.
Oleg Brodt, R&D Director of Deutsche Telekom Innovation Labs, Israel, and Chief Innovation Officer for Cyber@BGU.
Mitigating Threats
During British rule in India in the second half of the 19th century, the British were concerned about the abundance of venomous cobra snakes across Delhi. To mitigate the threat, the British government started offering bounties for every dead cobra snake that hunters turned in.
As expected, the bounty program was a success, as dead cobras started pouring in. Soon enough, more volunteers joined the effort, and it seemed that cleaning Delhi out of deadly snakes was a matter of time. Nevertheless, as months went by, the pace of beheaded-snake deliveries did not decline. On the contrary: Unlike as the government anticipated, it increased.
Authorities started to investigate. To their surprise, Delhi was full of cobra breeding farms. Once the street snake population started to decline, it was much harder for the hunters to keep up with their bounty rewards. Instead, the locals set up snake breeding farms and now had an unlimited supply of dead cobras, yielding a constant income of reward money.
What the Cobra Effect Has to Do With Bug Bounties
This anecdote can teach us a valuable lesson about cybersecurity bug bounty programs. Most of them offer monetary compensation, corporate swag, and leaderboard “glory” to bug hunters who disclose cybersecurity vulnerabilities. Despite good intentions, an entire ecosystem of bug bounty hunting has emerged. There are now specialized courses, trainings, books, conferences, and program management companies dedicated to bug bounties. It seems bug hunting became an industry of its own — almost none of which existed a decade ago — with a growing army of bug hunters.
Unlike cobras, vulnerabilities cannot be “bred.” Therefore, at least theoretically, at some point, the bug hunters should dry out the swamp of vulnerabilities. Nonetheless, in practice, it is rather convenient for software vendors to transfer the liability of eliminating vulnerabilities in their products to bug hunters, who are much cheaper than maintaining dedicated security personnel.
In a world without bug hunters, companies must invest more in better coding practices and bear more responsibility for their products’ security in the first place, before the product hits the market. The cobra effect in cybersecurity bug bounty programs allows vendors to run away from their responsibility to make better, more secure products from the get-go, solve the problem at its source, or at least try.
Stories Like This
