Security researchers laud Microsoft, Facebook bug bounty programs

Efforts should provoke responsible vulnerability research on widely used technologies

Facebook and Microsoft are winning plaudits from security researchers for launching an initiative to offer bounties to bug hunters who discover and report vulnerabilities in widely used products.

Unlike other bug bounty programs, the program announced this week by the duo is not vendor specific. Rather it will reward bug hunters for vulnerabilities they discover in a range of technologies that includes Python, Perl, PHP, Ruby on Rails and Django, Apache and Nginx Web. Also covered are technologies such as the application sandbox mechanisms in Internet Explorer 10, Google Chrome and Adobe Reader.

A website set up under the program allows bug hunters to report vulnerabilities and connect them with response teams capable of addressing the bugs. The site spells out the vulnerability disclosure guidelines, specific disclosure timelines and processes that security researchers must follow to qualify for a reward.

The Internet Bug Bounty program aims to reward security research in areas that will ultimately make the Web more secure overall, according to Facebook and Microsoft.

"Our approach is meant to help reward contributions towards either side of the solution," a spokesman for the program said on Friday. There are two awards for each bug: one for finding it and one for fixing it. The bug's discoverer can double the initial bounty by providing a fix, or another volunteer from the community can step in and claim the "fix" bounty," he said.

Dan Kaminsky, co-founder and chief scientist of security start up WhiteOps, called the effort ground-breaking. "What Microsoft and Facebook are saying is that if software has reached the level of being infrastructure, then it is in everyone's interest to get it fixed" and insure it's secure, he said.

In 2008, Kaminsky reported a DNS cache poisoning vulnerability that affected virtually every domain name server on the Internet and led to an unprecedented synchronized patching effort by Microsoft, Cisco and numerous other technology vendors. Patching the problem involved months of coordinated effort between numerous vendors, security researchers and the U.S. Computer Emergency Response Team (U.S. CERT).

This program will make it easier for security researchers to report vulnerabilities that touch multiple products and technologies and will enable a better response, he said. "What Facebook and Microsoft have done is cut the Gordian Knot," he said.

Reeny Sondhi, director of product security assurance at EMC Corp., called the bug bounty program a worthy initiative.

"We have seen multiple vendors have their own bug bounty programs," Sondhi said. "This is the first time where there have seen a collective intent to come together for security research."

Sondhi called the effort a positive step to encourage responsible vulnerability disclosures affecting critical Internet infrastructure technologies. Many of the technologies covered by the bug bounty program are integrated into products from numerous vendors, Sondhi said.

"At EMC and RSA, we use many of the components that are part of the program," she said. "When we embed some of these technologies in our products, we end up inheriting vulnerabilities [that may exist in them]."

Any effort to address such vulnerabilities is a good thing, she said.

The spokesman for the bug bounty program said that Facebook and Microsoft will fund the initial round of bounties being offered under the initiative. "But this is a broader community effort involving participation from a range of backgrounds," he said. "We're all invested in the security of the Internet, and since we've all seen the positive benefits from bug bounty programs, it was a natural extension for some of the heaviest users of the web to partner up to help protect it."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies