New Bucks for Bugs Program Focuses on Open Source Software, Internet Infrastructure
by Kelly Jackson Higgins, Dark Reading
Programs that pay security researchers for finding flaws in software have become all the rage, and now a new bug bounty program launched this week rewards finding vulnerabilities in key open-source software platforms as well as the underlying Internet infrastructure.
The Microsoft- and Facebook-sponsored Internet Bug Bounty program pays as much as $2,500 for a new vulnerability detected in key open source platforms, and offers a minimum reward of $5,000 to researchers who uncover working flaws in sandbox technologies, as well as bugs in the Internet’s underlying infrastructure.
“I’m really happy about this program,” says renowned security researcher Dan Kaminsky, who discovered a key DNS bug in 2008 that affected a large portion of the Internet. “The black market has gotten so hot because there are so many players doing criminal activities … more accurately, they are out to compromise systems, and that takes a lot of work even to identify a flaw [to exploit].
“This program provides direct incentive for people to raise the quality of [software] flaw analysis,” notes Dan Kaminsky. An Internet bug found under the program is only deemed worthy of compensation if it affects multiple products or a significant number of users, or is severe or novel. Researchers receive two rewards, one for bug discovery and another for correction. Veracode’s Chris Wysopal says Microsoft and Facebook’s collaboration reflects the pressing need for key players to counteract the black market for bugs, while also benefiting open source projects.
Facebook’s Alex Rice says the program is complementary to existing bounty initiatives, and covers areas of the Web that existing programs currently do not. “This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack,” says Microsoft’s Katie Moussouris. Kaminsky says the program “puts a stake in the ground that this is what a program should look like, these are the types of good bugs to pay for.” Article
Leave a Reply
You must be logged in to post a comment.