Vulnerabilities / Threats

7/21/2017
12:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Internet Bug Bounty Receives New Funding to Expand Internet Safety Program

Facebook, Ford Foundation and GitHub donate $300,000 to award hackers who improve internet infrastructure

SAN FRANCISCO July 21, 2017 The Internet Bug Bounty (IBB), the not-for-profit bug bounty program for core internet infrastructure and open source software, today announced three donations of $100,000 each: a renewal from Facebook as well as new investments from Ford Foundation and GitHub. The sponsorships will be used to reward hackers for making the internet a more secure public domain, allowing the IBB to expand the scope and impact of its already far-reaching bug bounty program.

The IBB recognizes and rewards security research that identifies vulnerabilities in internet infrastructure and free open source projects. Since its inception less than four years ago, the IBB has awarded over $616,000 to hackers who have helped uncover more than 625 security vulnerabilities in technologies that support the internet underpinnings and widely adopted open source projects. Over $150,000 was awarded to hackers in the last year alone for more than 250 vulnerabilities. Of the total bounties awarded to hackers, over $45,000 has been donated to charities and nonprofit organizations by these individuals.

“The generous donations from Facebook, Ford Foundation and GitHub lay the foundation for the IBB to expand its vision of making the internet more secure,” said Alex Rice, HackerOne CTO and founder, who serves on the IBB’s panel. “When we have the means to reward altruistic hackers for uncovering critical vulnerabilities in public domains, we are making the internet a safer place for everyone.”

Ford Foundation and GitHub join existing IBB sponsors Facebook, Microsoft and HackerOne in recognizing hackers’ significant contributions to securing the internet.

“Facebook has supported the IBB since its inception and we are proud to renew our commitment,” said Alex Stamos, chief security officer at Facebook. “The internet can bring very positive forces into people's lives and we must work together to make these vital technologies safer.”

“At Ford Foundation we believe that a secure, free and open internet is critical in the fight against inequality,” said Michael Brennan, Ford Foundation’s technology program officer on the Internet Freedom team. “The open source infrastructure of the internet is part of a public commons that we are committed to help maintain and draw attention to. A necessary part of this maintenance is recognizing and rewarding those who uncover critical vulnerabilities in freely available code that we all rely upon.”

The latest rounds of sponsorship will enable the IBB to expand the existing scope to introduce a new "Data Processing Program," which aims to encompass numerous widespread data parsing libraries, as these have been an increasing avenue for exploitation. The IBB will also expand the scope to cover technologies that serve as the technical foundation of a free and open internet, such as OpenSSL.

“Open source software underpins the backbone of the internet and society’s most critical digital infrastructure,” said Shawn Davenport, VP of security at GitHub. “We believe deeply in the importance of this initiative, and we’re excited to sponsor the Internet Bug Bounty and support the people who work tirelessly every day to ensure the internet is as safe and secure as it can possibly be.”

The IBB has recognized researchers for uncovering vulnerabilities in some of the most important open source software, including RubyGems, Ruby, Phabricator, PHP, Python and OpenSSL, among others. Through the IBB, hackers have been rewarded for identifying and reporting on critical vulnerabilities, including ImageTragick ($7,500 bounty), Heartbleed ($15,000 bounty) and Shellshock ($20,000 bounty).

About the Internet Bug Bounty

The Internet Bug Bounty (IBB) is a not-for-profit bug bounty program that provides financial rewards to hackers who identify critical vulnerabilities in internet infrastructure and free open-source software. Since it was founded in 2013, the IBB has awarded white-hat hackers over $616,350 USD in bounties for reporting over 625 valid vulnerabilities in technologies supporting the underpinnings of the internet. The organization is comprised of a panel of influential experts from the security community who are responsible for defining the guidelines for the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise. For more details on how the IBB operates, including guidelines around how scope and bounty prices are determined, finances, panel member requirements, please see its charter.

About HackerOne

HackerOne is the #1 hacker-powered security platform, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including the U.S. Department of Defense, General Motors, Twitter, GitHub, Nintendo, Panasonic Avionics, Qualcomm, Square, Starbucks, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved nearly 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London and the Netherlands.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.