Bug bounty program pays researchers that find flaws in widely-used software
Microsoft and Facebook team up to reward vulnerability research that could help many Internet users
IDG News Service - A new bug bounty program sponsored by Microsoft and Facebook will reward security researchers for finding and reporting vulnerabilities in widely used software that have the potential to affect a large number of Internet users.
The program will be run by a panel of researchers from Facebook, Google, Microsoft and several other companies who helped manage or participated in other security bounty programs over the years.
"Our experiences have left us with a calling to improve vulnerability disclosure for everyone involved to bring the Internet to a better place," the researchers said on hackerone.com, the website hosting the new bug bounty program and which will connect bug hunters to response teams that can resolve the reported flaws.
The new program will reward vulnerabilities found in the Python, Ruby, PHP and Perl interpreters; the Django, Ruby on Rails and Phabricator development tools and frameworks; the Apache and Nginx Web servers, and the application sandbox mechanisms of Google Chrome, Internet Explorer 10, Adobe Reader and Flash Player.
The discovery of security issues that affect software implementations from multiple vendors or a vendor with dominant market share, such as vulnerabilities in Internet protocols, will also be rewarded. Example of past vulnerabilities that would have qualified in this category include the 2008 collision attack against the MD5 hashing function that was used to generate a forged CA certificate, the BEAST attack against SSL and the DNS cache poisoning vulnerability reported by security researcher Dan Kaminsky in 2008, the program organizers said.
The bounty amounts will vary depending on the severity of the reported issues and the software they affect. For example, rewards for finding vulnerabilities in Phabricator will start from $300 and can reach $3,000, but bounties for vulnerabilities in application sandboxes or Internet protocols will start at $5,000 and can be increased significantly at the discretion of the review panel. In the case of some software projects, submitting a patch along with a vulnerability report will double the bounty.
The new program is addressed not only to security researchers, but to anyone who discovers a security issue, as long as they comply with the program's disclosure philosophy and guidelines. That includes academic researchers, software engineers, system administrators, and even casual technologists.
The bounties are currently sponsored by Microsoft and Facebook, but the HackerOne panel encourages response teams who will address the reported issues to financially motivate security research if they can afford to.
Last month Google announced a similar initiative to pay for security fixes and code strengthening patches in widely used open-source applications and software libraries including OpenSSL, OpenSSH, BIND, libjpeg, libpng and others. This might explain why Google is not sponsoring the HackerOne bounties even though Chris Evans, a security engineer with the Google Chrome Security Team, is on the HackerOne panel.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts