Ask LH: Should People Who Find Security Flaws On Your Site Be Rewarded?

Ask LH: Should People Who Find Security Flaws On Your Site Be Rewarded?

Dear Lifehacker, If someone reported and helped you fix a critical security flaw in your website that could be exploited by hackers to do evil stuff and potentially harm your customers, would they be rewarded? I’ve been wondering about this for a while. Thanks, Speak No Evil

Lock picture from Shutterstock

Dear SNE,

It’s always nice to acknowledge when someone has done you a good turn, and that acknowledgement might extend to a thank you gift of some sort. Whether that’s appropriate depends on the degree of severity. If the problem is a complex one and your informant has helped with implementing the fix, then you might consider giving them a reward. If all that has happened is that you have been notified of a well-known flaw in a common software package that can be fixed by upgrading to a newer version, then the thanks are more likely to be on a “I’ll buy you a beer” level.

There are parallels here with what happens in software development. Companies will usually acknowledge researchers who have identified flaws in their software, and may sometimes offer a monetary reward. However, that’s often contingent on not publicising the existence of the flaw before there has been an opportunity to fix it. Finding flaws is helpful; screaming about them from the rooftops and altering the ill-intentioned to them is not.


Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.


Log in to comment on this story!