[A2k] Internet Bug Bounty program

Jamie Love james.love at keionline.org
Thu Nov 7 08:46:29 PST 2013


KEI and others are encouraging governments to create prize funds to induce
open source innovations for medical technologies.  This is an interesting
example of the use of innovation prizes in a related field: software.  Jamie


Now there’s a bug bounty program for the whole Internet
Sponsored by Microsoft and Facebook, program pays researchers big cash
rewards.
By Dan Goodin
Nov 6 2013
<
http://arstechnica.com/security/2013/11/now-theres-a-bug-bounty-program-for-the-whole-internet/
>

Microsoft and Facebook are sponsoring a new program that pays big cash
rewards to whitehat hackers who uncover security bugs threatening the
stability of the Internet at large.

The Internet Bug Bounty program, which in some cases will pay $5,000 or
more per vulnerability, is sponsored by Microsoft and Facebook. It will be
jointly controlled by researchers from those companies along with their
counterparts at Google, security firm iSec Partners, and e-commerce website
Etsy. To qualify, the bugs must affect software implementations from a
variety of companies, potentially result in severely negative consequences
for the general public, and manifest themselves across a wide base of
users. In addition to rewarding researchers for privately reporting the
vulnerabilities, program managers will assist with coordinating disclosure
and bug fixes involving large numbers of companies when necessary.

The program was unveiled Wednesday, and it builds off a growing number of
similar initiatives. Last month, Google announced rewards as high as
$3,133.70 for software updates that improve the security of OpenSSL,
OpenSSH, BIND, and several other open-source packages. Additionally,
Google, Facebook, Microsoft, eBay, Mozilla, and several other software or
service providers pay cash in return for private reports of security
vulnerabilities that threaten their users.

"We're trying to broaden the scope a little bit and cover a lot of stuff
that doesn't have a particular vendor behind it or things that all of us
benefit from joining together to tackle," Alex Rice, a security researcher
at Facebook, told Ars.

"We've got a lot of customers in common," Microsoft security researcher
Katie Moussouris added. "It makes sense for us to join together and make
the Internet safer for everybody."

One focus of the program is defects in so-called security sandboxes. Built
into programs including the Chrome and Internet Explorer browsers and
Adobe's Reader and Flash programs, the measures are designed to separate
potentially dangerous content downloaded from the Internet from sensitive
operating-system functions, such as those that access data stored on a hard
drive or install new programs. As sandboxes have become more widely used,
the value of hacks that allow attackers to bypass sandbox protections have
become increasingly valuable, especially when they work across multiple
OSes or applications.

The program will pay rewards for sandbox escapes that typically manifest as
a vulnerability in an OS kernel or an implementation error. It will also
pay minimum bounties of $5,000 for significant vulnerabilities that affect
the Internet at large. Examples include an exploit dubbed BEAST from 2011
that silently decrypted HTTPS-encrypted data passing between a Web server
and end user, a devastating bug in the Debian distribution of Linux that in
2008 produced easy-to-break cryptography keys, and another vulnerability
from 2008 in the Internet's digital certificate system that allowed
attackers to forge counterfeit credentials needed to impersonate virtually
any website that relied on the security measure.

[snip]

-- 
James Love.  Knowledge Ecology International
http://www.keionline.org, KEI DC tel: +1.202.332.2670, US Mobile:
+1.202.361.3040, Geneva Mobile: +41.76.413.6584,   twitter.com/jamie_love



More information about the A2k mailing list