Saturday, November 9, 2013

New Bucks for Bugs Program Focuses on Open Source Software, Internet Infrastructure

Dark Reading (11/07/13) Kelly Jackson Higgins 

The Microsoft- and Facebook-sponsored Internet Bug Bounty program pays as much as $2,500 for a new vulnerability detected in key open source platforms, and offers a minimum reward of $5,000 to researchers who uncover working flaws in sandbox technologies, as well as bugs in the Internet's underlying infrastructure. "This program provides direct incentive for people to raise the quality of [software] flaw analysis," notes security researcher Dan Kaminsky. An Internet bug found under the program is only deemed worthy of compensation if it affects multiple products or a significant number of users, or is severe or novel. Researchers receive two rewards, one for bug discovery and another for correction. Veracode's Chris Wysopal says Microsoft and Facebook's collaboration reflects the pressing need for key players to counteract the black market for bugs, while also benefiting open source projects. Facebook's Alex Rice says the program is complementary to existing bounty initiatives, and covers areas of the Web that existing programs currently do not. "This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack," says Microsoft's Katie Moussouris. Kaminsky says the program "puts a stake in the ground that this is what a program should look like, these are the types of good bugs to pay for."