Even customers of a company with a good bug bounty program may suffer at the hands of one new bug that was not submitted through the program — or one that customers failed to patch in a timely manner. One bug can cause a whole lot of problems. A vendor can report that it closed more security holes than ever and still have more of its customers hacked than ever in the same year.
Don't get me wrong. I'm fairly excited about vendor bug bounty programs, especially because they give white hat hackers a way to earn money for their talents legally. But I'm still waiting for definitive results that say they actually result in fewer exploited customers.
Sign up for Computerworld eNewsletters.