crowd-sourcing your bugs

Most of us in the contracting space are interested in alternate ways of making money. Personally, I enjoy straight programming to almost any other means of earning it but I discovered something recently that looks interesting. There’s a website now that seemingly pays for finding bugs in the code of others. As programmers we are often good at spotting problems early and we’re probably the best at finding them. Troubleshooting is usually something that isn’t seen as a profit center so why not flip things and make some money doing it?

Enter the new website which appears to be crowd-sourcing the problem of code testing. Various companies then work with the website to outsource this task to others who attempt to identify a problem worth fixing. If they decide that it’s indeed a bug then they usually pay some form of money to the researcher.

My Anecdote

From my own limited experience, I created an account, reviewed the many offers and picked the Tesla Motors website to look for security problems. Within an hour I identified something from a third-party webtiming partner which turned out to be flagged by Microsoft Security Essentials as the Win32/Spursint.A Trojan. (Not bad for just an hour’s work, I thought.) I then wrote up my findings and awaited  a response. Someone  did respond within 24 hours.

But then the fun began as I attempted to communicate what I’d found. Since they couldn’t recreate what I’d seen they submitted the linked JavaScript to other antivirus sites which found it to be clean.

Next, I tried to explain the nature of the Akamai network of caching servers and how a local version of their server might be delivering different content than what I’d received: some get the Trojan and some do not, in other words. Again, this was falling upon deaf ears.

I then tried to convince them that development-related timing code isn’t normally pushed to production, that their build process should have groomed this out in the first place. Again, no sale. They just didn’t want to hear that their third-party JavaScript provider could have been compromised. Lesson learned: don’t waste your time twice with the same company who won’t listen to reason.

Closing Thoughts

Will I use Bugcrowd again? I like the concept. I think I had rather spend my time, though, in a more fruitful venture with a less risky return.

New wisdom: Avoid systems in which you perform labor and then someone else decides whether or not your labor deserves getting paid for. Oh, and unless you have an up-to-date virus checker you may want to avoid the Tesla website since it sometimes delivers a Trojan to your browser.