Big software companies and security (How Sony should handle hacking)
Today I did an interesting experiment. As you may or may not know, big software companies have to handle security issues with many techniques. One of the techniques used recently is known as “bug bounties”.
The idea is to pay independent security researchers/hackers who report vulnerabilities and bugs in critical programs (browsers, websites, applications,…), before they are disclosed publicly. In general, anybody who’s not an employee of these companies can participate. There are even a few example of junior high school kids who get pretty good amounts of money for reporting such security issues.
So what I did is look for the “bug bounty” programs of a few big projects/companies, and looked for the first results:
Facebook offers in general 500$ for a vulnerability report
Google offers between 100$ and 1337$ for such reports
Mozilla offers up to $3000 for security bugs
Microsoft doesn’t have a bounty program but organizes white hack “contests” with massive rewards.
Sony offers money to the people who could give them information about hackers… wait, what the…? (ironically, other results for that query are 100% about Facebook, Google, etc… ‘s bounty programs)
The last result for Sony is just icing on the cake. Initially I was doing the research just to show that Sony didn’t have a bug bounty program while it should. The result was even beyond my “expectations”, not only do they not have a bug bounty program, they actually pay money to chase hackers (in this case, those were some pretty bad guys, but that’s not the point)
I’m just a blogger, but here’s some advice for Sony: most of the psp/vita/ps3 hackers I know are students, and would really think twice about publicly releasing a hack (or contacting me about it) if the alternative was a 500$ reward. I am convinced a bounty program on your gaming consoles could dramatically mitigate hacks such as the ones used for VHBL, for example.
It could also probably help mitigate commercial piracy such as the True Blue dongle on the ps3. The people behind this dongle would never sell their hack for a few hundred dollars (why would they, they are sitting on hundreds of thousands of dollars with their black market), but it is possible that a few independant hackers would dig more seriously into reversing the True Blue dongles if they knew there was a reward…
If you think there are about a dozen exploitable psp games on the psn right now, it would mean that for about 5000$, Sony could get rid of the current “threat” that is vhbl… if I were them I’d consider running a bounty program… unless, like me, they believe VHBL is actually good advertising for their console (and let’s be honest, given its poor sales, the Vita needs every form of promotion it can get)
A Bug bounty program, given the current demographics of PSP/Vita/PS3 hackers, would be in my opinion a very cost-effective way for Sony to mitigate hacking (and to some extent, piracy) on their consoles. It could also probably be extented to their websites and services (especially the PSN). Another indirect benefit would be that trust issues would rise in current Sony hacking communities, making it difficult for hackers to work together.
Thankfully, I’m just a pissed off sony customer, and I know Sony never listens to their angry customers, so I think we’ll still have hacks for a while on our consoles.