An interesting article from Wired popped up on my radar screen this morning: an article by Jennifer Granick entitled “Bug Bounties Exterminate Holes.” In a nutshell: there are now vendors, including iDefense and 3Com, that will pay bounties of anywhere from a few hundred dollars to as much as $10,000, to independent security researchers who provide information about security-related bugs and vulnerabilities in products like Microsoft Windows. And Mozilla, the open-source web-browser vendor, has a Bug Bounty Program that will pay $500 and a free t-shirt (wow! a t-shirt! what’s next – a coffee mug?) to researchers who find security holes. All of this is apparently an outgrowth of a long-running debate in the computer-security field about the virtues of having security experts report their findings to the vendors first (thus not tipping off the hackers, but leaving customers exposed), versus reporting their findings to the public first (with an opposite set of benefits and problems).

There’s another approach that is surprisingly unknown, even among professional software developers: honeypots, software packages intended to make a system look unprotected, in order to attract hackers to break into the site in such a way that their tactics and protocols can be observed. A few books have been published in this area during the past couple of years; a good, recent book about honeypots for the world of Microsoft Windows (whose users must feel they are operating in a digital version of Baghdad!) is Honeypots for Windows, by Roger Grimes.

This is all important and interesting, but it suggests another equally interesting area for exploration: what about some kind of bounty for the individuals and/or companies who find non-security-related bugs and problems in popular software products? In rare cases, you can find this kind of information on the vendor’s web site, but it’s far more common to find the vendor stonewalling any inquiries or complaints about such problems; and even when confronted with the evidence, they’re more likely to say, “Wait until the next version comes out!” rather than offering constructive advice for work-arounds.

There are a few independent sites that provide this kind of information; for Mac users like me, Version Tracker is a good resource. But it’s not comprehensive, and most of the postings are rants and complaints about missing features, rather than warnings and constructive advice about bugs or quirks in the software.

With all of the grass-roots efforts underway to create new Web 2.0-related products and services, it seems to me that this is a big opportunity. Maybe I should go find a venture capitalist …

P.S. If you’re interested in the mindset required to track down bugs in software written by someone else, check out Find the Bug: A Book of Incorrect Programs, by Adam Barr. Barr works for Microsoft; draw your own conclusions.