- October 10, 2016 at 11:20 am #13907
I found this interesting results from a survey conducted recently by Wakefield Research commissioned by code evaluation firm Veracode.
One of the big takeaways from the survey was the fact that 59% of IT decision makers (ITDMs) think it’s more expensive to fix code flaws found in bug bounty programmes than to secure code during development.
I thought this was very interesting and surely suggests that these companies should spend more money investing in testing rather than offering bigger rewards for bug bounty’s?
What do you think?October 10, 2016 at 5:39 pm #13916
There is some commercial evidence and information in methodology of testing that early bug-finding is lower cost thAen any bug found later 🙂October 13, 2016 at 9:46 am #13947
There is some commercial evidence and information in methodology of testing that early bug-finding is lower cost then any bug found later
commercial = myth, see http://thklein.com/en_US/cost-of-defect/
Regarding bug bounty programs (not Bug Hunts). My opinion on them as risk mitigation activities is that they can “crowd source” a lot of edge cases that the producing company can find it costly to do, both wrt. skills and time.October 19, 2016 at 10:27 am #14002
Why not both?November 4, 2016 at 1:51 pm #14222
I believe it is best to invest more on software testing. Imagine having a vulnerability in the software. By the time someone reports it through a bug bounty program, it could easily prove very costly.
It is also good to have bug bounty’s. But the chances of finding defects after thorough testing will be considerably less. And hence prove to be less costly.
You must be logged in to reply to this topic.