We've noted before that buggy software can be a security issue, one that has prompted many end-user companies to ponder actions that would make their vendors more accountable.

The issue is just as pressing when it comes to software developed internally for wide use over the Internet. Which brings us to Facebook and other companies that have turned to use of bug bounties as part of their quality assurance programs. As SC magazine makes clear, the idea of paying vendors and researchers to find bugs has been percolating for years.

More software makers have latched on to the idea, which has pleased researchers to no end. Mozilla, for example, has been paying bounties since 2004. For bug-hunting researchers, a bull market has settled in. Mozilla recently boosted its bug bounties from $500 to $3,000. Google has boosted its top bounty for Chrome bugs from $1,337 to $3,133.70. It has paid out more than half million in prizes over the last few years. Facebook pays about $500 for routine bugs but has been known to pay as much as $5,000.

SC notes, however, that not everyone thinks bug bounties are a good idea. Adobe says that the focus on bounties "could cause firms to focus too much attention on offensive protections, and, as a result, neglect research investments for exploit mitigation techniques." But it's fair to say that bounties are really just a portion of an overall quality assurance program. They are not the foundation by any means.

For more:
- here's the article from SC

Related article:
IN-DEPTH: Banks turn to ethical hackers to enhance security