Newest bug bounty touts $10K rewards, appeals for help in finding Flash flaws
Vulnerability broker mocks talk of 'heroes' who find bugs
Computerworld - A new entry in the cash-for-bugs business, the Internet Bug Bounty, recently paid out its first $10,000 rewards.
And on Friday, one of the researchers who judges bug report entries issued a plea to other security experts to join the hunt for flaws in Adobe's Flash Player, the media player notorious for its vulnerability volume and frequent patching.
The Internet Bug Bounty (IBB) paid $10,000 each to a pair of security researchers in late February for vulnerabilities they found in Flash, the highest-value rewards from the group since its inception last year.
"This shows that the IBB is serious about rewarding research which makes us all safer," said Chris Evans, a security engineer on the Google Chrome team and one of 11 panelists who mange the program and help vendors set payments. "$10,000 is a respectable reward by modern bug bounty program standards," Evans wrote on his personal blog four weeks ago.
The IBB paid $10,000 to David Rude on Feb. 20 and another $10,000 several days later to Clement Lecigne. Rude works as a security researcher for VeriSign's iDefense, another bug bounty program; Lecigne works for Google in its Swiss office.
IBB launched in November 2013 with a first round of bounty funding coming from Facebook and Microsoft. The latter does not have a regular bug bounty program of its own, although it does pay for broader-scope discoveries of ways to circumvent the defensive technologies baked into Windows. Other than Evans, the IBB panel includes representatives from Adobe, Facebook, iSec Partners, Microsoft and Signal Sciences.
At the time of its debut, IBB was applauded for taking a collective approach to compensating researchers.
Evans was hopeful that IBB would find other sponsors to fund the group's rewards. "The more sponsors we have on board, the more money we can inject into the whitehat community in order to make us all safer," Evans said in an email reply to questions last week. "More sponsors would mean we could cover more products and pay larger rewards."
IBB currently has a 180-day patch-or-publish guideline -- if a vendor is unable or unwilling to fix a reported flaw, details may be made public -- but it may follow HP TippingPoint Zero Day Initiative's (ZDI) lead and reduce that. "We applaud ZDI's efforts to encourage vendors to patch faster, and may follow suit," said Evans, referring to ZDI's recent announcement that it would decrease the timeline to 120 days. "Not everyone has woken up to this, but when a whitehat researcher discloses an issue, there's a reasonable chance that nefarious actors already know about the vulnerability. Therefore, taking a long time to patch puts everyone at risk."
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts