November 10th, 2013, 22:17 PM
Shared bug bounty program praised by security researchers
Facebook and Microsoft are winning plaudits from security researchers for launching an initiative to offer bounties to bug hunters who discover and report vulnerabilities in widely used products.
Unlike other bug bounty programs, the program announced this week by the duo is not vendor-specific. Rather it will reward bug hunters for vulnerabilities they discover in a range of technologies that includes Python, Perl, PHP, Ruby on Rails, and Django, Apache and Nginx Web. Also covered are technologies such as the application sandbox mechanisms in Internet Explorer 10, Google Chrome, and Adobe Reader.
A website set up under the program allows bug hunters to report vulnerabilities and connect them with response teams capable of addressing the bugs. The site spells out the vulnerability disclosure guidelines, specific disclosure timelines and processes that security researchers must follow to qualify for a reward.
The Internet Bug Bounty program aims to reward security research in areas that will ultimately make the Web more secure overall, according to Facebook and Microsoft.
"Our approach is meant to help reward contributions towards either side of the solution," a spokesman for the program said on Friday. There are two awards for each bug: one for finding it and one for fixing it. The bug's discoverer can double the initial bounty by providing a fix, or another volunteer from the community can step in and claim the "fix" bounty," he said.
Dan Kaminsky, co-founder and chief scientist of security start up WhiteOps, called the effort ground-breaking. "What Microsoft and Facebook are saying is that if software has reached the level of being infrastructure, then it is in everyone's interest to get it fixed" and insure it's secure, he said.