Bounty Hunters: Shootout at the Software Corral

Connoisseurs of 1960s TV might be familiar with Paladin, a Western that featured a San Francisco character with a business card that read “Have Gun, Will Travel.” He was a dapper cross between a private detective and a bounty hunter who roamed through the West tracking down bad guys. He was mainly a nonviolent sort, but, dead or alive, Paladin generally got his man and won the reward.

Bounty hunters abound in American popular culture. Today we still have bounties, and, most recently, terrorists aside, they are sprouting up everywhere in the software arena.

There are bounties for finding and reporting bugs as well as finding and turning in virus writers, copyright infringers and trespassers (or worse) who disrupt networks, take over networks and commit other computer-related crimes. Anyone considering offering a reward would do well to learn from the mistakes of others and study up on the science of bounty schemes.

A reward might take the form of compensation, usually money, offered by a government or an individual to the public, with some qualifications, in return for the performance of some act. The offer of a reward is generally considered an offer in a contract sense, in that once the offer is accepted and performed upon before the reward is withdrawn, the offerror can be legally obligated to pay the reward.

That means that a poorly thought out reward program has two ways to fail. The reward might never be claimed and no benefit obtained, or the offerror might be legally obligated to pay out even without the intended benefit.

Essential Elements of a Reward

For a reward to work, the rewarded act must be something the offerror could not do alone without the help of unknown parties. The reward offer must reach those who could perform the rewarded acts and the amount and terms of the reward must be such that those who could perform the rewarded acts decide to do them instead of not doing them. If the goal doesn’t fit that pattern, try something else. Everything else is either a gimmick or a waste of money.

A perfect example is Microsoft. It doesn’t offer rewards for bug fixes because that is something it can do itself quite easily. If it did offer rewards, the rewards would come out of a marketing budget not a programming budget. However, it does offer rewards for information leading to an arrest and conviction of virus writers in the Microsoft Antivirus Reward Program. Apparently, it had quick success with the program, as informants tipped off Microsoft to Sven Jaschan, who wrote the Sasser worm.

It seems obvious that the offer must get to those who could take the desired action, and it should be obvious that a reward is a gimmick if the offer is not going to the right places. If U.S. companies get attacked by a targeted virus originating in Russia, they can publicize the reward in Russia to get the virus writer, or they can publicize it in the U.S. to mollify their investors and customers. Microsoft didn’t publish news of the reward in the legal journals or IEEE publications, so I missed it, but that’s OK because I don’t know any virus writers. However, they apparently got the news to the German hacker-cracker community.

The third critical part of a bounty scheme is that the reward has to tip the actor into action. SCO offered a US$250,000 bounty for information leading to the arrest and conviction of the creators of the MyDoom virus, which was set up to turn infected machines into zombies that attacked SCO’s Web site. If there is truth to SCO’s theory that the MyDoom virus was created by hardcore open-source and Linux advocates because of SCO’s position on Linux and copyright infringement, then the company had to know that money is not likely a motivator among those who would spend the time and effort to mount an attack on SCO.

Rewards from the Law

Law enforcement has a long experience with bounties, but even the law-enforcement community has mixed results with them. Several very bright people have analyzed bounty schemes to understand why some work and some don’t. Software companies, network managers and victims of computer crimes would do well to study up on the topic before deciding to offer rewards.

The IRS program that rewards those who turn in tax cheats apparently works well. The rewards are a percentage of unpaid taxes collected and are contingent on the IRS not already being on the trail of the tax cheat. The IRS doesn’t mind paying rewards because it increases its tax collections as long as it is a tip on unpaid taxes they wouldn’t have found themselves.

The SEC pays rewards to whistle blowers who turn in inside traders, but that doesn’t work too well. It might be that most inside trading is only visible to other insiders and family members of the inside trader, who all have reasons of their own not to turn in the inside trader.

FTC Spam Bounty System

Last week, the FTC released a report supporting the creation of a government-funded bounty system to stop spammers. The FTC currently gets about 300,000 reports of spam daily, so why would they offer compensation for something they already get for free?

Besides, the information is not all that useful except as aggregated data. The FTC also gets detailed reports from technically savvy “cybersleuths” who sniff out technical details of spam and forward that on to the FTC. Rewards are not needed there either, because the motivation for cybersleuths is not money but just keeping e-mail systems clear. Furthermore, the information might lead to the source of spam, but not to the culprit sending it.

The FTC hopes the bounties will provide an incentive for coworkers, friends or associates of spammers to turn them in. To work, the rewards program must be carefully structured. For instance, some government programs allow the tipster to remain anonymous during the investigation. This might be required for the FTC spam rewards program because the tipster might be taking a personal risk in turning in someone they know.

Reading short news articles on the FTC Report cannot do it justice. Anyone considering a rewards program would do well to study the full report as well as the expert reports that are included with it. The Nagorsky Expert Report provides a good analysis of what works and does not in various bounty schemes.

Business Is Business

The bottom line is always that business is business. Perhaps like in the Wild West, governments and businesses will decide to solve their problems more often by sending out bounty hunters to recover the stolen goods.

The problem is that in the cowboy heydays, things were simple — “Wanted Dead or Alive” pretty much said it all. Today, bounties are more complicated. Tacking a poster to a tree doesn’t cut it anymore. For you would-be Paladins, don’t quit your day jobs just yet.

Phil Albert, a LinuxInsider columnist, is a patent attorney and partner with the San Francisco office of the intellectual property law firm Townsend and Townsend and Crew LLP.

1 Comment

  • Im interested in making software bounties much more of a development force to be reckoned with, to that end i built .
    hope that helps…

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels