#
 

CSAW'15 Policy Prompt

This prompt was given to all Policy entrants, who were tasked with writing a paper based on the prompt.

Software developers sometimes utilize "bug bounty" programs, whereby the developers pay individuals for reporting bugs and exploits as a means of improving the security of their software. Some have suggested that the creation of a national bug bounty program would be useful in securing the software that US economic and national security interests rely upon.

HOW WOULD YOU SUGGEST THE UNITED STATES IMPLEMENT A NATIONAL BUG BOUNTY PROGRAM?

Factors to consider in your answer:
  • Your entry must be no longer than four pages.
  • How would you balance the interest in patching bugs with the competing interest of exploiting them for the purpose of gathering foreign intelligence?
  • How large would the financial rewards be?
  • What effect would those rewards have on the existing market for zero-day exploits?
  • What are the benefits and drawbacks related to this change in the exploit market?
  • Must a bug be disclosed exclusively in order to receive a bounty?
  • Are there previous or existing policies, agencies, laws or programs that could provide a framework upon which to build a bug bounty program?
  • Where do private companies fit into your implementation?