Are bug bounties ever a bad idea?

I recently wrote another post on the state of security vulnerability research.  I discussed my reluctance (shared by many other researchers) to work for free.  To that end, I encouraged the use of "bug bounties" to motivate researchers to "sell" vulnerabilities back to vendors rather than selling them on the open vulnerability market.  One key point is that simply setting up a bounty program doesn't work unless the rewards are competitive with the open market prices.

I expected some whining from a couple of software companies about my refusal to test their software for free.  I got a couple of emails about that, but what surprised me more was the response I got from a trusted colleague (and friend) Lenny Zeltser.  Lenny wrote:

While some companies have mature security practices that can incorporate a bug bounty program, many organizations don't know about the existence of the vulnerability market. Such firms aren't refusing to pay market price for vulnerabilities--they don't even know that vulnerability information can be purchased and sold this way. Should vulnerability researchers treat such firms differently from the firms that knowingly choose not to participate in the vulnerability market?

As luck would have it, I'm actually at a small security vendor conference in Atlanta, GA today.  I polled some vendor representatives to find out whether or not they are aware of a bug bounty program for their software.  I also asked whether they are aware of the vulnerability market.  The results were fairly telling.  First, let me say that this is not a good sample population (but was used merely for expediency).  Problems I see with the sample:

1. These vendors self selected to attend a security conference. Most of them sell security software. They are probably more "security aware" than other vendors and therefore may have more inherent knowledge of security programs (vulnerability market and bug bounties).
2. The people manning the booths are most likely not app developers and probably not involved with the SDLC or vulnerability discovery.

The poll says that less than half of vendors surveyed are familiar with the vulnerability market and the vast majority do not implement bug bounties.  To be fair, many were confident that being security companies they don't suffer from insecure coding practices.  Therefore, their products don't have vulnerabilities and there's no reason to think about a bug bounty.  Lenny's assertion seems proven correct.  The organizations unaware of a vulnerability market probably aren't mature enough to implement a bug bounty. But some organizations are aware of the market, and yet they still don't want to implement a program.

I can only say that attitude is myopic at best.  Practically speaking, if you don't have any vulnerabilities, then a bug bounty program costs you nothing. Why not implement one?  You need a policy drafted, some legal review, a web page announcing the program, and some staff to respond to vulnerability reports (note: you'll need the last one anyway, so it's not an additional cost).  I'd like to take the position that a bug bounty is never a bad idea.  If you disagree, please tell me why.  I'm serious about this. If you or your company does software development and you refuse to implement a bug bounty, please share your reasoning (post it here as a comment if you care to so everyone can see).  If your reasoning is purely philosophical, I'm sorry to tell you I think that ship has sailed.  I'd like to collect a sample set of reasons that companies either refuse to pay bug bounties at all or want to get by without paying market prices.

In my next post, I'll address the second part of Lenny's comment: should vulnerability researchers treat smaller, immature organizations differently than those who knowingly refuse to participate in the vulnerability market.  Look for that post early next week.