Security researchers laud Microsoft, Facebook bug bounty programs
Efforts should provoke responsible vulnerability research on widely used technologies
Computerworld - Facebook and Microsoft are winning plaudits from security researchers for launching an initiative to offer bounties to bug hunters who discover and report vulnerabilities in widely used products.
Unlike other bug bounty programs, the program announced this week by the duo is not vendor specific. Rather it will reward bug hunters for vulnerabilities they discover in a range of technologies that includes Python, Perl, PHP, Ruby on Rails and Django, Apache and Nginx Web. Also covered are technologies such as the application sandbox mechanisms in Internet Explorer 10, Google Chrome and Adobe Reader.
A website set up under the program allows bug hunters to report vulnerabilities and connect them with response teams capable of addressing the bugs. The site spells out the vulnerability disclosure guidelines, specific disclosure timelines and processes that security researchers must follow to qualify for a reward.
The Internet Bug Bounty program aims to reward security research in areas that will ultimately make the Web more secure overall, according to Facebook and Microsoft.
"Our approach is meant to help reward contributions towards either side of the solution," a spokesman for the program said on Friday. There are two awards for each bug: one for finding it and one for fixing it. The bug's discoverer can double the initial bounty by providing a fix, or another volunteer from the community can step in and claim the "fix" bounty," he said.
Dan Kaminsky, co-founder and chief scientist of security start up WhiteOps, called the effort ground-breaking. "What Microsoft and Facebook are saying is that if software has reached the level of being infrastructure, then it is in everyone's interest to get it fixed" and insure it's secure, he said.
In 2008, Kaminsky reported a DNS cache poisoning vulnerability that affected virtually every domain name server on the Internet and led to an unprecedented synchronized patching effort by Microsoft, Cisco and numerous other technology vendors. Patching the problem involved months of coordinated effort between numerous vendors, security researchers and the U.S. Computer Emergency Response Team (U.S. CERT).
This program will make it easier for security researchers to report vulnerabilities that touch multiple products and technologies and will enable a better response, he said. "What Facebook and Microsoft have done is cut the Gordian Knot," he said.
Reeny Sondhi, director of product security assurance at EMC Corp., called the bug bounty program a worthy initiative.
"We have seen multiple vendors have their own bug bounty programs," Sondhi said. "This is the first time where there have seen a collective intent to come together for security research."
Sondhi called the effort a positive step to encourage responsible vulnerability disclosures affecting critical Internet infrastructure technologies. Many of the technologies covered by the bug bounty program are integrated into products from numerous vendors, Sondhi said.
"At EMC and RSA, we use many of the components that are part of the program," she said. "When we embed some of these technologies in our products, we end up inheriting vulnerabilities [that may exist in them]."
Any effort to address such vulnerabilities is a good thing, she said.
The spokesman for the bug bounty program said that Facebook and Microsoft will fund the initial round of bounties being offered under the initiative. "But this is a broader community effort involving participation from a range of backgrounds," he said. "We're all invested in the security of the Internet, and since we've all seen the positive benefits from bug bounty programs, it was a natural extension for some of the heaviest users of the web to partner up to help protect it."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts