New bug bounty program rewards researchers for finding flaws in widely used software

Microsoft and Facebook team up to reward vulnerability research that can affect a lot of Internet users

A new bug bounty program sponsored by Microsoft and Facebook will reward security researchers for finding and reporting vulnerabilities in widely used software that have the potential to affect a large number of Internet users.

The program will be run by a panel of researchers from Facebook, Google, Microsoft and several other companies who helped manage or participated in other security bounty programs over the years.

"Our experiences have left us with a calling to improve vulnerability disclosure for everyone involved to bring the Internet to a better place," the researchers said on hackerone.com, the website hosting the new bug bounty program and which will connect bug hunters to response teams that can resolve the reported flaws.

The new program will reward vulnerabilities found in the Python, Ruby, PHP and Perl interpreters; the Django, Ruby on Rails and Phabricator development tools and frameworks; the Apache and Nginx Web servers, and the application sandbox mechanisms of Google Chrome, Internet Explorer 10, Adobe Reader and Flash Player.

The discovery of security issues that affect software implementations from multiple vendors or a vendor with dominant market share, such as vulnerabilities in Internet protocols, will also be rewarded. Example of past vulnerabilities that would have qualified in this category include the 2008 collision attack against the MD5 hashing function that was used to generate a forged CA certificate, the BEAST attack against SSL and the DNS cache poisoning vulnerability reported by security researcher Dan Kaminsky in 2008, the program organizers said.

The bounty amounts will vary depending on the severity of the reported issues and the software they affect. For example, rewards for finding vulnerabilities in Phabricator will start from $300 and can reach $3,000, but bounties for vulnerabilities in application sandboxes or Internet protocols will start at $5,000 and can be increased significantly at the discretion of the review panel. In the case of some software projects, submitting a patch along with a vulnerability report will double the bounty.

The new program is addressed not only to security researchers, but to anyone who discovers a security issue, as long as they comply with the program's disclosure philosophy and guidelines. That includes academic researchers, software engineers, system administrators, and even casual technologists.

The bounties are currently sponsored by Microsoft and Facebook, but the HackerOne panel encourages response teams who will address the reported issues to financially motivate security research if they can afford to.

Last month Google announced a similar initiative to pay for security fixes and code strengthening patches in widely used open-source applications and software libraries including OpenSSL, OpenSSH, BIND, libjpeg, libpng and others. This might explain why Google is not sponsoring the HackerOne bounties even though Chris Evans, a security engineer with the Google Chrome Security Team, is on the HackerOne panel.

Microsoft's sponsorship of the program might indicate that the company has softened its stance on paying for individual vulnerabilities, a practice it has opposed for years.

Microsoft launched two bounty programs for its own products in June, but with a goal of rewarding research into new defensive techniques or exploitation methods that bypass existing defenses, rather than rewarding the discovery of individual security flaws. On Monday, the company extended one of those programs to also reward reports of new attack techniques discovered by security professionals in active attacks.

Microsoft also ran a more traditional bug bounty program in June to pay for vulnerabilities found in the preview version of Internet Explorer 11, but that program only lasted 30 days.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesonline safetyGoogleMicrosoftsecuritysoftwareExploits / vulnerabilitiesFacebook

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?