With companies like Facebook and Google offering cash prizes for people who can find security holes in their products, has there ever been any consideration given to offering cash rewards to people finding security exploits in CentOS or in commonly bundled services like Apache? (Provided of course they follow "responsible disclosure" and report the exploit to the software authors and get it fixed.)
Obviously the benefit would be that it would increase the chance of a white hat finding and fixing an exploit, before a black hat discovered the same one and used it to attack people's servers. Would there be any other downsides, other than the cost of paying out the prize?
I've heard some objections from companies over the years who didn't want to institute a "prize program", but I thought some of those objections didn't make much sense (and indeed some of those companies ended up instituting a prize program after all, a few years later). For example, some people said, "This just encourages people to find exploits and then they might use those exploits to do harm." (The problem with this is if someone has sufficient black-hat incentives for finding an exploit -- either to do malice, or more likely to sell it on the black market -- those incentives *already* exist, so the prize program wouldn't create any additional incentive to use an exploit illegally.) Would you feel safer using CentOS if a bounty program encouraged people to report exploits to the project? Why or why not? I think I would, for the stated reason -- newly discovered exploits are more likely to get reported and fixed, than to be used in the wild. But I'd be curious why anyone might feel less safe if such a program existed.
On a related question, suppose that instead of paying for generic exploits against the operating system, you as a webmaster had the option of adding your website to a directory of "bounty" sites, where you would have to put up a bond of $100 to join. Then anyone who could prove that they broke into your server (let's say the "proof" is that they read a world-readable file in the root directory) would collect the $100 prize, if they can describe exactly how they did it and what you need to fix to prevent the attack in the future. That way, if there's ever a weakness in your server, it's more likely to be found by a white hat and reported to you directly so you can fix it, before a black hat finds the same weakness. Would you sign up your webserver? I think I would, and I believe I'd be reducing the risk of a black-hat breakin as a result, but there may be counter-arguments that I'm not thinking of.
Bennett