ietf
[Top] [All Lists]

Fwd: [IP] Now there's a bug bounty program for the whole Internet

2013-11-07 07:11:47


Begin forwarded message:

From: Dave Farber <dave(_at_)farber(_dot_)net>
Subject: [IP] Now there's a bug bounty program for the whole Internet
Date: 7 Nov 2013 3:05:28 PST
To: ip <ip(_at_)listbox(_dot_)com>
Reply-To: <dave(_at_)farber(_dot_)net>



---------- Forwarded message ----------
From: Dewayne Hendricks 
Date: Thursday, November 7, 2013
Subject: [Dewayne-Net] Now there's a bug bounty program for the whole Internet
To: Multiple recipients of Dewayne-Net <dewayne-net(_at_)warpspeed(_dot_)com>


Now there’s a bug bounty program for the whole Internet
Sponsored by Microsoft and Facebook, program pays researchers big cash 
rewards.
By Dan Goodin
Nov 6 2013
<http://arstechnica.com/security/2013/11/now-theres-a-bug-bounty-program-for-the-whole-internet/>

Microsoft and Facebook are sponsoring a new program that pays big cash 
rewards to whitehat hackers who uncover security bugs threatening the 
stability of the Internet at large.

The Internet Bug Bounty program, which in some cases will pay $5,000 or more 
per vulnerability, is sponsored by Microsoft and Facebook. It will be jointly 
controlled by researchers from those companies along with their counterparts 
at Google, security firm iSec Partners, and e-commerce website Etsy. To 
qualify, the bugs must affect software implementations from a variety of 
companies, potentially result in severely negative consequences for the 
general public, and manifest themselves across a wide base of users. In 
addition to rewarding researchers for privately reporting the 
vulnerabilities, program managers will assist with coordinating disclosure 
and bug fixes involving large numbers of companies when necessary.

The program was unveiled Wednesday, and it builds off a growing number of 
similar initiatives. Last month, Google announced rewards as high as 
$3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, 
BIND, and several other open-source packages. Additionally, Google, Facebook, 
Microsoft, eBay, Mozilla, and several other software or service providers pay 
cash in return for private reports of security vulnerabilities that threaten 
their users.
"We're trying to broaden the scope a little bit and cover a lot of stuff that 
doesn't have a particular vendor behind it or things that all of us benefit 
from joining together to tackle," Alex Rice, a security researcher at 
Facebook, told Ars.

"We've got a lot of customers in common," Microsoft security researcher Katie 
Moussouris added. "It makes sense for us to join together and make the 
Internet safer for everybody."

One focus of the program is defects in so-called security sandboxes. Built 
into programs including the Chrome and Internet Explorer browsers and Adobe's 
Reader and Flash programs, the measures are designed to separate potentially 
dangerous content downloaded from the Internet from sensitive 
operating-system functions, such as those that access data stored on a hard 
drive or install new programs. As sandboxes have become more widely used, the 
value of hacks that allow attackers to bypass sandbox protections have become 
increasingly valuable, especially when they work across multiple OSes or 
applications.

The program will pay rewards for sandbox escapes that typically manifest as a 
vulnerability in an OS kernel or an implementation error. It will also pay 
minimum bounties of $5,000 for significant vulnerabilities that affect the 
Internet at large. Examples include an exploit dubbed BEAST from 2011 that 
silently decrypted HTTPS-encrypted data passing between a Web server and end 
user, a devastating bug in the Debian distribution of Linux that in 2008 
produced easy-to-break cryptography keys, and another vulnerability from 2008 
in the Internet's digital certificate system that allowed attackers to forge 
counterfeit credentials needed to impersonate virtually any website that 
relied on the security measure.

[snip]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>



Archives  | Modify Your Subscription | Unsubscribe Now         

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

<Prev in Thread] Current Thread [Next in Thread>
  • Fwd: [IP] Now there's a bug bounty program for the whole Internet, Eggert, Lars <=