Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/7/2013
05:51 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Bucks For Bugs Program Focuses On Open-Source Software, Internet Infrastructure

Microsoft and Facebook co-sponsor community bug bounty program that pays researchers for flaws found in popular open-source software, Internet protocols

Programs that pay security researchers for finding flaws in software have become all the rage, and now a new bug bounty program launched this week rewards finding vulnerabilities in key open-source software platforms as well as the underlying Internet infrastructure.

Microsoft and Facebook -- under the auspices of HackerOne -- are co-sponsoring The Internet Bug Bounty, a program that pays anywhere from $300 to $2,500 for a new vulnerability found in key open-source platforms, such as OpenSSL, Python, Ruby, PHP, Django, Rails, Perl, Phabricator, Ngix, and Apache httpd. The program also rewards a minimum of $5,000 to researchers who find working flaws in sandbox technologies, and a minimum of $5,000 for bugs found in the Internet's underlying infrastructure, such as DNS, SSL, or PKI, for example.

"I'm really happy about this program," says renowned security researcher Dan Kaminsky, who discovered a key DNS bug in 2008 that affected a large portion of the Internet. "The black market has gotten so hot because there are so many players doing criminal activities ... more accurately, they are out to compromise systems, and that takes a lot of work even to identify a flaw [to exploit].

"If nothing else, this program provides direct incentive for people to raise the quality of [software] flaw analysis," he says, pointing to the program's emphasis on quality vulnerability finds that pose real risks to the Internet community and its well-defined guidelines that promote responsible hacking.

Not all bug discoveries will actually qualify for a bounty payment, either, according to the program's disclaimer. In the case of Internet bugs, for example, the criteria for a paid flaw is one that affects multiple products, affects a significant number of users, or is "severe" or "novel," for instance.

There are two rewards for each bug -- one for finding it and the other for fixing it. So a researcher could make twice as much money by discovering and repairing a flaw.

Both Microsoft and Facebook, like many major vendors today, have established their own bug bounty programs that pay researchers who find flaws in their products.

"Facebook and Microsoft are funding the initial round, but this is a broader community effort involving participation from a range of backgrounds. We're all invested in the security of the Internet, and since we've all seen the positive benefits from bug bounty programs, it was a natural extension for some of the heaviest users of the Web to partner up to help protect it," says Alex Rice, product security lead at Facebook.

[How Microsoft's new bug bounty program will play in the quest for more secure software. See Microsoft's Big Bucks For Bugs Ups The Ante .]

A panel of volunteers from the security community is charged with managing the program, including Microsoft's Katie Moussouris, Matt Miller, Roman Porter, and Arthur Wongtschowski; Facebook's Rice, Neal Poole, and Colin Greene; Chrome's Chris Evans; iSec Partners' Jesse Burns; and Etsy's Zane Lackey.

"The Internet Bug Bounty is accessible to a broad pool of security researchers and has the potential to improve security for a wide variety of technology users," says Moussouris, senior security strategy lead for Microsoft Trustworthy Security. "This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack."

Countering the black market for bugs, indeed, is the main incentive for heavy-hitters like Microsoft and Facebook to team up and sponsor a vulnerability reward program for open-source platforms, says Chris Wysopal, CTO at Veracode. "This is a reaction to that" black market for bugs, he says. "This is really trying to disrupt the offensive market. As the offensive side of vulnerability finding has grown, this is counterbalancing it."

And more secure open-software platforms also benefit those vendors, as well as the entire Internet community, security experts say. "This is definitely helping out those open-source projects," Veracode's Wysopal says. "And [the vendors involved] are also helping themselves because they use these products. It's a win for them and a win for the Internet, in general."

The closest thing to a bug bounty for finding flaws in open-source software is Google's new patch bounty, announced earlier this month. Google launched an experimental program that offers rewards for coming up with security improvements to key open-source projects, such as OpenSSH, BIND, Chromium, and KVM.

Open-source software is often considered the weak link in applications, as flaws in open-source code have been targeted by attackers looking for the quickest and simplest way to break into systems. Community software projects typically lack sufficient resources to stay on top of bugs and patches, so the new HackerOne program should help.

Whether this newfound abundance of bug bounty programs will boost or dilute efforts to secure software remains to be seen. Facebook's Rice says the new program complements existing ones. "We see this program as complementary to existing bug bounty programs, and it’s focused on covering areas of the Web that aren’t currently in scope for existing programs," he said in an email interview.

Kaminsky, chief scientist and co-founder of fraud prevention startup White Ops, says the bigger problem with many bug bounty programs has been lesser-quality bug finds, and this new program should raise the bar to avoid that. "What's good about having this overarching program is that it very much puts a stake in the ground that this is what a program should look like, these are the types of good bugs to pay for," he says.

The Internet Bug Bounty has inspired Wysopal to rethink Veracode's informal bug bounty program for its own software. The secure code firm currently sends a "thank you package" to a researcher who finds any flaws in its code: It has no official funding for a bounty program at this time. Wysopal says he thinks the program may pressure other vendors to pony up with monetary awards for bugs found in their software, even at Veracode: "Maybe I'll see if I can get some" funding now, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RonR595
50%
50%
RonR595,
User Rank: Strategist
11/9/2013 | 3:04:58 PM
re: New Bucks For Bugs Program Focuses On Open-Source Software, Internet Infrastructure
Actually, from all that I have read, open source has similar rate of defects compared to commercial software, and is actually fixed faster by the respective community. The problem for most developers is that unless you sign up to a service that would proactively alert you, you will likely not know of the new vulnerability, and therefore will not fix.

Before we added such service to White Source, almost all our customers told us that no one is tasked with continuously monitoring the various web-based databases for new vulnerabilities that are discovered and that affect code used in their product. So they would not know, even if these would be discovered, and hence they wont fix....

Dont get me wrong. Its great to put more power behind the discovery, but the dissemination of information is where things get complicated. Its also not trivial to (automatically) match a CVE to a specific open source library.
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
CVE-2019-11644
PUBLISHED: 2019-05-17
In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premi...