Want to get rich from bug bounties? You're better off exterminating roaches for a living Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects. Using data from bug bounty biz HackerOne, security shop Trail of Bits observes that the top one per cent of bug hunters found on average 0.87 bugs per month, resulting in bounty earnings equivalent to an average …
It turns out that exterminating cockroaches is actually quite easy, if you use modern science to help you out. The problem with most methods of killing cockroaches is that the cockroaches have tremendous selection pressure to evolve ways of not getting killed. The way around this is to use a method which they will find much more difficult to evolve out of.
That way is developmental disruption. A cockroach life cycle is a simple one; it hatches from an egg into a miniature cockroach, then goes through a series of instars, shedding its exoskeleton each time and inflating internal air sacs to make the soft new one a bit bigger than the old one. All the time this is happening, a gland in its head is pumping out a hormone called Juvenile Hormone, for which there is no equivalent in vertebrates. About halfway through the last juvenile instar the gland stops producing juvenile hormone, and the final exoskeleton that forms is a little different from all the previous ones; it has genitalia and other adult characteristics.
If you produce an artificial analogue of juvenile hormone and keep giving this to last instar cockroaches, then their adult exoskeleton looks just like a juvenile one; no genitalia. Such animals cannot breed, and do not undergo any further moults either; they live out their lives without breeding. Juvenile hormone analogues that are thousands of times more bio-active than the real one, and much more persistent have been developed.
This means that if you want to permanently keep the cockroach population in a building near to zero, all you do is periodically saturate the place with a juvenile hormone analogue. You'll always have a few cockroaches coming in from the surrounding area, but the offspring of these incomers never themselves breed.
@Dr Dan Holdsworth
Nice attack vector, assuming the attack doesn't have any nasty side effects but even then unless you completely irradicate then those that survive evolve to cope resulting in all your expensive research becoming increasingly useless. In the event that you did manage to kill all the roaches then something else would take it's place and you would need to start again against a possibly worse replacment.
The more holistic approach is always to attack/remove the niche i.e. reduce food availiblity for example, yes you may push the target into a new niche but the chances are it will lbe less optimised than the current organism living there, rather than using science to create a superroach that may be more of a problem than the existing strain.
The fact is that the more humans there are the greater the likelihood that organisms will evolve to live off us, use our best weapons now and they will be useless when we actually need them.
But - wouldn't they just continue to get bigger and bigger until they eat all the people?
Sure you stopped them from breading, by introducing unlimited growth sounds dangerous.
But still, can we ride them? replace soldiers with giant roaches, wars will be less boom boom, and more munch munch. At least they will clean up after.
""The UK government, she said, is not going to start a bug bounty program""
I'm pretty sure that at one point they were looking at it. I received an email (at least a year ago) invitation to join a pilot scheme that NCSC were looking at running. Reading between the lines, it sounded exactly like a bug bounty scheme. I don't believe that anything ever came of it, presumably because they were asking security companies that already did government work to effectively work for free.
Bug bounty programs are often set up to get people to work for free, or for minimal pay relative to the effort and skill.
But there is a down-side for a company that tries this approach. They.will likely attract people motivated solely by money. When a security vulnerability is discovered, the calculation will be "will I make more money by exploiting, selling or reporting this?" Only the minor, low-value bugs will be reported through a bounty program.
Bug bounty programs are a nice adjunct to what should be done internally. It is an unfortunate situation that no matter how good your people, processes, etc. are bugs will get out. Thus the last line is the bounty hunters. What I would be more concerned about are the organizations that use bounty hunters as their first line.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
