CSAW'15 Policy Prompt
This prompt was given to all Policy entrants, who were tasked with writing a paper based on the prompt.
Software developers sometimes utilize "bug bounty" programs, whereby the developers pay individuals for reporting bugs and exploits as a means of improving the security of their software. Some have suggested that the creation of a national bug bounty program would be useful in securing the software that US economic and national security interests rely upon.
HOW WOULD YOU SUGGEST THE UNITED STATES IMPLEMENT A NATIONAL BUG BOUNTY PROGRAM?
Factors to consider in your answer:
- Your entry must be no longer than four pages.
- How would you balance the interest in patching bugs with the competing interest of exploiting them for the purpose of gathering foreign intelligence?
- How large would the financial rewards be?
- What effect would those rewards have on the existing market for zero-day exploits?
- What are the benefits and drawbacks related to this change in the exploit market?
- Must a bug be disclosed exclusively in order to receive a bounty?
- Are there previous or existing policies, agencies, laws or programs that could provide a framework upon which to build a bug bounty program?
- Where do private companies fit into your implementation?