Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/21/2017
12:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Internet Bug Bounty Receives New Funding to Expand Internet Safety Program

Facebook, Ford Foundation and GitHub donate $300,000 to award hackers who improve internet infrastructure

SAN FRANCISCO July 21, 2017 The Internet Bug Bounty (IBB), the not-for-profit bug bounty program for core internet infrastructure and open source software, today announced three donations of $100,000 each: a renewal from Facebook as well as new investments from Ford Foundation and GitHub. The sponsorships will be used to reward hackers for making the internet a more secure public domain, allowing the IBB to expand the scope and impact of its already far-reaching bug bounty program.

The IBB recognizes and rewards security research that identifies vulnerabilities in internet infrastructure and free open source projects. Since its inception less than four years ago, the IBB has awarded over $616,000 to hackers who have helped uncover more than 625 security vulnerabilities in technologies that support the internet underpinnings and widely adopted open source projects. Over $150,000 was awarded to hackers in the last year alone for more than 250 vulnerabilities. Of the total bounties awarded to hackers, over $45,000 has been donated to charities and nonprofit organizations by these individuals.

“The generous donations from Facebook, Ford Foundation and GitHub lay the foundation for the IBB to expand its vision of making the internet more secure,” said Alex Rice, HackerOne CTO and founder, who serves on the IBB’s panel. “When we have the means to reward altruistic hackers for uncovering critical vulnerabilities in public domains, we are making the internet a safer place for everyone.”

Ford Foundation and GitHub join existing IBB sponsors Facebook, Microsoft and HackerOne in recognizing hackers’ significant contributions to securing the internet.

“Facebook has supported the IBB since its inception and we are proud to renew our commitment,” said Alex Stamos, chief security officer at Facebook. “The internet can bring very positive forces into people's lives and we must work together to make these vital technologies safer.”

“At Ford Foundation we believe that a secure, free and open internet is critical in the fight against inequality,” said Michael Brennan, Ford Foundation’s technology program officer on the Internet Freedom team. “The open source infrastructure of the internet is part of a public commons that we are committed to help maintain and draw attention to. A necessary part of this maintenance is recognizing and rewarding those who uncover critical vulnerabilities in freely available code that we all rely upon.”

The latest rounds of sponsorship will enable the IBB to expand the existing scope to introduce a new "Data Processing Program," which aims to encompass numerous widespread data parsing libraries, as these have been an increasing avenue for exploitation. The IBB will also expand the scope to cover technologies that serve as the technical foundation of a free and open internet, such as OpenSSL.

“Open source software underpins the backbone of the internet and society’s most critical digital infrastructure,” said Shawn Davenport, VP of security at GitHub. “We believe deeply in the importance of this initiative, and we’re excited to sponsor the Internet Bug Bounty and support the people who work tirelessly every day to ensure the internet is as safe and secure as it can possibly be.”

The IBB has recognized researchers for uncovering vulnerabilities in some of the most important open source software, including RubyGems, Ruby, Phabricator, PHP, Python and OpenSSL, among others. Through the IBB, hackers have been rewarded for identifying and reporting on critical vulnerabilities, including ImageTragick ($7,500 bounty), Heartbleed ($15,000 bounty) and Shellshock ($20,000 bounty).

About the Internet Bug Bounty

The Internet Bug Bounty (IBB) is a not-for-profit bug bounty program that provides financial rewards to hackers who identify critical vulnerabilities in internet infrastructure and free open-source software. Since it was founded in 2013, the IBB has awarded white-hat hackers over $616,350 USD in bounties for reporting over 625 valid vulnerabilities in technologies supporting the underpinnings of the internet. The organization is comprised of a panel of influential experts from the security community who are responsible for defining the guidelines for the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise. For more details on how the IBB operates, including guidelines around how scope and bounty prices are determined, finances, panel member requirements, please see its charter.

About HackerOne

HackerOne is the #1 hacker-powered security platform, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including the U.S. Department of Defense, General Motors, Twitter, GitHub, Nintendo, Panasonic Avionics, Qualcomm, Square, Starbucks, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved nearly 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London and the Netherlands.

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...