There's a great episode of the security podcast "Risky Business" which profiles the featured security researcher in this article[0]

[0]: http://risky.biz/RB406

you can reduce the costs of infosec consulting by combining it with bug-bounties.

The more prominent the brand/company the more people will want to find vulns. Especially when you're not the Pentagon or Apple but some no-name vendor nobody ever heard of. In that case you won't get the same value out of it. They're not a replacement for regular professional security audits. Really crucial for small firms who think they solve all problems with a bug-bounty[0].

The "market" currently dictating the amounts offered in bounties doesn't really reflect level of risk[1] associated with vulns. And IMO never will.

Bug-bounties aren't new, but the professional way and scale in which they're organized is new (crowd-sourcing really works here). So I'm pretty excited to see how this evolves.

[0] https://twitter.com/CopperheadOS/status/753253574184951808

[1] https://twitter.com/rantyben/status/753080683657060353

biggest news here is that Apple now has a bug bounty program

It was announced earlier this month:

http://www.nytimes.com/2016/08/05/technology/apple-will-pay-...

http://www.slate.com/blogs/future_tense/2016/08/09/why_apple...

Url changed from https://www.technologyreview.com/s/602224/a-bug-hunting-hack..., which is pretty much entirely cribbed from this.

Submitters: the HN guidelines ask you to submit original sources. When one article is copied from another, please submit that one instead.