Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company’s own products.
The move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with Mozilla shelling out up to $3,000 and Google paying as much as $3,133.7 for bugs.
Barracuda officials said they’ll match Google’s top price for severe bugs and the minimum bug bounty will be $500. The company will only pay out rewards for bugs that are disclosed privately to Barracuda, although once the bug is fixed, the researcher is free to disclose it publicly. Bugs found in barracuda’s Spam and Virus Firewall, Web Filter, Web Application Firewall and NG Firewall are eligible for the cash rewards.
Bugs that are in scope for the reward program are vulnerabilities that compromise confidentiality, availability,
integrity or authentication. Those would include vulnerabilities such as remote exploits, privilege
escalation, cross site scripting, code execution, command injection.
“Security product vendors should be at the
forefront of promoting security research,” Paul Judge, chief research
officer at Barracuda Networks, said in a statement. “This initiative reflects our commitment to
our customers and the security community at large. The goal of this program is
to reward researchers for their hard work as well as to promote and encourage
responsible disclosure.”
As a profitable, legitimate market for vulnerability information has developed in recent years with the success of the Zero Day Initiative and other third-party brokers, there has been more and more pressure on the vendors themselves to pay for bugs.
While Mozilla and Google officials have been happy with the results of
their bug bounty programs–Google in fact just expanded its program to
its web properties–and researchers have praised the companies for
recognizing their work, other high-profile software vendors have stayed
on the sidelines. Microsoft officials have repeatedly said that the
company will not pay for bugs and Apple and Adobe, which have been under
increased scrutiny by attackers and researchers of late, have not
offered bounties either.