The guy usually makes sense, but he doesn't here.

You can't breed bugs in programs. You can't earn more money by creating more bugs in your browser. You simply don't have access.

He wasnt making that point. He was making the point that rat farming was bad but software bug farming was good.

Why bring it up at all, then? It didn't serve to illuminate anything. He just brings up a bad analogy, then ... Shoots down his own analogy? Why bother?

That's a remarkably silly analogy. Researchers do not introduce vulnerabilities themselves, they are not "farming bugs" to game the system.

Yup. I clicked through, expecting to read an article with some evidence (however flimsy) that developers were intentionally introducing bugs in their software so that their partner could report the bug and claim a bounty. What I actually read was just weak.

The common term for this is the Cobra Effect http://en.wikipedia.org/wiki/Cobra_effect but a quick google doesn't bring up any leads on the veracity of his South Africa / rat-farming variant.

EDIT: more googling doesn't find any source for this other than Dubner himself. Looks like he might have just made it up.

I think, in a way, they are.

The point he's making, in my opinion, is that while farming rats to kill them is useless, farming vulnerabilities is not. There's no real use in advancing our knowledge of rat slaughter, we know how to do that pretty well already, and these rat farmers are indeed gaming the system.

Researchers aren't necessarily injecting bugs in the system unscrupulously, but even if they were, would it be a bad thing? The nature of security is such that bug farming would probably help move the problem forward. The science of mitigating threats is far more complicated than that of killing rats. So manufacturing vulnerabilities will advance our understanding of computer security.

It's a loose metaphor, but I see it.

Either he's explained something really badly or someone has this exactly 180 degrees wrong.