6 Comments

The ERROR folks describe what they're doing as a bug bounty programme for science. I work in tech and am quite familiar with such schemes (never won a bounty though). The analogy seems kind of dubious and unhelpful.

Tech companies use bug bounty schemes because it's a relatively cheap way to scale up skilled security labor, and for various reasons some security researchers like working that way. It's very culturally specific to security and originates in the somewhat dubious practice of paying obsessive hackers to avoid them selling their exploits on the black market instead. You don't find bug bounties for other kinds of bugs.

One thing that's really important is that tech firms obviously don't like paying out bounties, and so invest heavily in hiring full timers and doing their own audits. For years Apple didn't have a bug bounty scheme. When they eventually launched one, they explained the reason they'd lagged behind: their own internal audits were producing so many findings they didn't feel any need for outside help. Firms also put in place systems and rules designed to stop bugs happening at all.

This doesn't map well to what ERROR is doing. A real bug bounty scheme for science would look like universities all staffing up scientific integrity departments that systematically audit their own professor's work, and when the audits finally start to come back clean they begin payouts to third parties who find fraud/dishonesty/incompetence in their own work. They would explicitly compete on how much integrity their staff had.

A very small programme finding flaws in work by other institutions isn't going to help. There are already volunteers who do this and universities ignore them. Bounties work because the companies really do want to be secure, and the hacker types mostly just do it for the thrill and don't really care who gets their exploits as long as they get some recognition, so all the incentives are aligned.

Expand full comment

Although I do think it’s a cool idea (better to have audits full stop, when before there just weren’t any!), like you I do wonder how they think it’ll scale. I now also work in tech so my immediate thought is “will an AI do this one day?” - but universities having proper integrity departments would also help. That would require them to care, though…

Expand full comment

The podcasts are enjoyable and informative. Thanks.

Expand full comment

Is there sex disaggregated data regarding the lead and crime hypothesis? If so, what does it show? Given the difference in crime rates between the sexes, especially violent crimes this seems like a pertinent question.

Expand full comment

Lots of snake oil out there in all fields of study. Nothing new about this obvious factoid.

Expand full comment

Lots of snake oil in any field. If it smells fishy: investigate further.

Expand full comment