The Internet Bug Bounty program, a cooperative effort among security experts and vendors, paid out its first $10,000 bounty this week for a serious Flash vulnerability. The flaw, which Adobe fixed in December, was a serious one that has been used in targeted attacks.
Started in November, the Internet Bug Bounty is a system set up by security researchers and backed by Microsoft and Facebook to reward researchers who disclose bugs responsibly. Both Microsoft and Facebook have their own bug bounty programs, as do many other vendors, but they cover each company’s specific products. The Internet Bug Bounty program is meant to cover some core Internet technologies such as DNS and SSL, along with widely deployed software such as Flash, Google Chrome and Internet Explorer.
The group has been paying out some smaller bounties, but this is the first five-figure payout from the group, and it came for a serious vulnerability. Last week, Citizen Lab researchers reported that the Adobe Flash vulnerability was being used in targeted attacks against journalists. Interestingly, David Rude, the iDefense Labs researcher who received the bounty, didn’t report the bug directly to the IBB, but to Adobe. In fact, he didn’t even discover it himself; he saw attackers using exploits against it. Still, the IBB paid Rude the bounty as a reward for his work.
“The IBB culture is to err on the side of paying. Note that David did not discover the vulnerability himself; he discovered someone else using it. IBB culture is to look mainly at whether a given discovery or piece of research helped make us all safer. Our aim is to motivate and incentivize any high-impact work that leads to a safer internet for all,” Google security engineer Chris Evans, an adviser for the IBB, wrote in a blog post on the bounty payment.
“IBB does not want or need details of unfixed vulnerabilities — that would violate strict need-to-know handling. Once a public advisory and fix is issued, researchers or their friends may file IBB bugs to nominate their bugs for reward. Or, for important categories such as Flash or Windows / Linux kernel bugs, panel members keep an eye out for high impact disclosures and nominate on the researchers’ behalf. Because we care.”
The idea of paying researchers for bugs that they reported to other organizations–or didn’t discover directly–is a rare one in the world of bug bounties. Most companies that have such programs run them in order to get researchers to find vulnerabilities in their software, not in other companies’ software. But because the IBB is not tied to any one vendor, it has the ability to make decisions to pay researchers for work that, in Evans’s words, makes the Internet safer for everyone.