A bounty program begun by a bevy of industry heavyweights, including Microsoft and Facebook, will pay good money to white hats, researchers and even aspiring young hackers who find bugs in any of a dozen technologies central to the vitality and trustworthiness of the Internet.
Dubbed the Internet Bug Bounty, the program’s aim is to make the Internet more secure and incentivize researchers to turn over bugs rather than exploit them. The bounty will pay out cash reward, with minimum bounties ranging from $1,500 to $5,000, and the sponsor companies will act as intermediaries with the affected vendors.
“The Internet Bug Bounty is accessible to a broad pool of security researchers and has the potential to improve security for a wide variety of technology users,” said Katie Moussouris, senior security strategy lead, Microsoft Trustworthy Security. “This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack.”
Along with Microsoft and Facebook, researchers from Google, iSEC Partners and Etsy make up the panel.
The bounty’s website, hackerone.com, lays out its disclosure policy online, urging researchers to promptly report vulnerabilities and support further investigation into those reports, while asking vendor or open source response teams to transparently address vulnerabilities, publicly recognize bug-finders and never legally threaten researchers.
Researchers must report vulnerabilities through the HackerOne platform and the details will not be made public for 30 days, giving the affected response team time to remediate. That deadline can be extended to as many as 180 days, the bounty’s rules state, but only in certain unusual cases.
If the bug in question is being actively exploited, the bounty team reserves the right to publicly provide remediation details; no bug details remain private beyond six months.
“If a Response Team is unable or unwilling to issue a patch, the contents of the Bug Report will become publicly available according to the timelines provided,” the rules state. “In no case will the details of a vulnerability be kept non-public beyond 180 days. We believe transparency is in the public’s best interest in these extreme cases.”
The highest payouts are for application sandbox escape vulnerabilities in products such as Chrome, Internet Explorer, Adobe Reader and Flash on Windows 7, Linux and OS X, and core Internet technologies such as DNS, SSL or crypto protocols.
Sandbox bypass exploits have been all the rage this year with hackers taking advantage of weaknesses in Java and other third-party components and browsers to gain control over the underlying system.
“The specifics of these [escape] techniques will differ between implementations but typically manifest as a kernel vulnerability, broker vulnerability or logic error,” the bounty panel said, adding that implementation bugs should be reported to the vendor and are not eligible for a bounty. “Your submission should include why you believe the bug is external to the application itself (e.g., a kernel bug).”
As for Internet bugs, vulnerabilities should be widespread, vendor agnostic, severe and new, the bounty panel said.
“The Internet Bug Bounty panel will award public research into vulnerabilities with the potential for severe security implications to the public,” the panel said. “Simply put: Hack all the things, send us the good stuff, and we’ll do our best to reward you.”
The other technologies in scope are: OpenSSL ($2,500 minimum bounty); Python ($1,500); Ruby ($1,500); php ($1,500); Rails ($1,500); Perl ($1,500); Apache httpd ($500); Nginx ($500); Phabricator ($300); and Django (unannounced).