Thanks for the invite and asking to comment on open source software bounties! Jeff had some valid and invalid points. His most valid point is that money brings more security, but the point in his article about his product being 100 percent free is somewhat invalid. The moment you associate a free program to your name you can use it for credibility, to show people what you’ve made and why they can hire you, etc. So can you really call the product free? You aren’t being charged to use it, but the product isn’t entirely free, if the word free means there is nothing gained and nothing earned from the product. I am not picking on Jeff, he has done amazing work. I am trying to point out an invalid perception in the open source community about products that are “free”.
Everyone knows that one platform my company does research is WordPress code, because it so wide-spread. You wouldn’t believe how many bug reports we make for free and don’t write about them. Although, playing Devil’s advocate can you really say a security bug you reported is free if you write about it? If either your personal site or in this case our companies site gets more views it can then turn into more readers or even paid work, then something was gained or even earned from that “free” report.
One problem we have with free reports is if the company has a steady revenue and setup a bug bounty that offers no monetary compensation. When I say steady revenue, I mean millions of dollars in revenue every year. No company with that much money coming in should run a free bounty, yet so many do. The mentality that researchers work should be free when you are making millions of dollars off the software is just plain wrong. It shows how much companies value security reports. When we run into one of these situations, we will make a report telling the company where the vulnerability is, why it is vulnerable, what the type of exploit is, references to other work demonstrating that exploit or similar exploits. What we don’t do is spend the time making a working proof of concept unique to these companies software, because it takes up a lot of time and they have tons of money, but choose not to pay. Our work has value.
Most of these large companies that choose not to pay for security holes also are also infamous at not fixing security issues even when you make them a full working proof of concept for free and it is found valid by peers or even by bugcrowd. If we found the bug while working for a customer, then we send the bug to the company with a full proof of concept.
When it comes to kudo bounties, well, we do some of them even when the company makes enough money, but when the report is free and the company doesn’t respond for months or ever, then you don’t work with that company again. Although that is a conversation for a different thread.