Large technology companies may already have bug bounty programs in place that reward researchers who attack and find holes in software or web platforms. Slowly, some are also starting to institute programs that pay for defensive measures.
Facebook is the latest to do so with the implementation of its Internet Defense Prize, announced yesterday at the annual USENIX Security Symposium.
The social network also announced the program’s first award, handed out to a pair of researchers from Germany for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.” Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany were awarded $50,000 by an award committee made up of Facebook and USENIX representatives.
The Internet Defense Prize is an ongoing program, Facebook’s John “Four” Flynn wrote in a blog post, adding that they are soliciting new entries for a future prize, and that the amount may grow depending on the strength of the submission.
“Recently we started asking ourselves how we could do more to make the web secure and have a greater impact. One of the biggest hurdles we identified was that offensive security work (hacking into this or that) and theoretical academic research often get more recognition than defensive work that prevents vulnerabilities and reduces the effectiveness of attacks,” Flynn wrote. “We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people.”
The intent of the award, he said, is to recognize research that contributes to Internet security in the areas of protection and defense. Facebook has run its Whitehat program for some time, and last November, announced its participation in the Internet Bug Bounty, similar to the Internet Defense Prize, in that it rewards researchers for finding large-scale Internet vulnerabilities.
The Internet Bug Bounty is hosted by HackerOne and also includes other large companies such as Microsoft and Google. Researchers who participate must disclose bugs through HackerOne; bigger payouts go for bugs in ubiquitous technologies such as the leading browsers, Adobe Reader and Flash and core infrastructure such as SSL and DNS.
Microsoft, meanwhile, hosts its own version of a defensive technology prize in which rewards up to $100,000 for exploits that bypass mitigations in Windows and other Microsoft products, lesser amounts for defensive technologies that can stop an existing mitigation bypass technique. Two $100,000 mitigation bypass rewards have already been paid out by Microsoft.
The greater reward payouts are not only an incentive to researchers to share their exploits and mitigations with vendors, but also to disrupt the growing exploit and vulnerability brokering marketplaces. Exploit vendors such as VUPEN and others buy bugs from researchers—often for six-figure amounts—and re-sell them in exclusive deals often with “friendly” governments who in turn generally don’t share details with the affected vendor.
Bug bounty programs such as the Internet Bug Bounty and Internet Defense Prize do share details with the vendor, giving them an agreed-upon length of time to release a patch before details are publicly disclosed.
“It’s no secret that online security has room to improve. Headlines about corporate data breaches or government surveillance pop up and make people wonder what’s being done to make it all better,” Facebook’s Flynn wrote. “The reality is that building a more secure web requires us to go beyond our own software and to focus on parts of the web that are under resourced.”