Researchers: Bug Bounties Don't Work
New research conducted by the Massachusetts Institute of Technology (MIT), Harvard University, Facebook and Hacker One finds that offering a bug bounty isn't the most effective way to increase the security of software. According to the researchers, offering money in exchange for information about vulnerabilities only helps to eliminate the "low-hanging fruit," the bugs that were easy to find.
Instead, the report says that developers should pay researchers to develop tools that can spot bugs, which is a more cost effective strategy for improving security in the long run. The report added that it is particularly difficult to counteract the efforts of organizations like national intelligence agencies that have a lot of funding and interest in finding vulnerabilities.