Microsoft and Facebook, who already run their own bug bounty programs, have announced that they will now work together to offer cash rewards to white hats who discover flaws in popular software applications as well as across the web at large.
The joint program, known as ‘HackerOne‘, offers bounties in return for bugs found in OpenSSL, Python, Ruby, PHP, Rails and Perl, among others. There is also an additional broad category that allows submission of any bugs affecting ‘The Internet’ as a whole.
The advantages of having such a program in place was highlighted as recently as Wednesday, the day that HackerOne was announced, when Microsoft warned users about a zero-day vulnerability that came about via booby trapped image files.
The HackerOne FAQs says that:
Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.
Of course curiosity and altruism don’t pay the rent, so aspiring bounty hunters will be pleased to hear that their efforts will be rewarded with cash amounts which start at $300 for finding vulnerabilities in Phabricator apps.
Other programs under the HackerOne umbrella pay from $1,500 to $5,000 and judges can award much higher amounts at their discretion. The more generous among you may also be pleased to hear that some members of the judging panel may increase awards where the recipient opts to donate the money they have earned to charity.
Almost anyone can take part in the bug bounty program with the only noted restrictions applying to individuals currently on US embargo lists, or living in an embargoed nation.
Even minors may submit vulnerabilities, though those under the age of 13 will need to do so through their parents or legal guardians. This is because the collection of data from younger children is prohibited in the US by the Children’s Online Privacy Protection Act.
For a flaw to qualify for a bounty it needs to be discovered in widely used code and either be of a serious or critical nature or unusual in some way.
One potential drawback that bug hunters may want to consider is that once submitted, the vulnerability has to be verified and then the software provider will have 180 days to fix the issue before any disclosure is made or, perhaps more importantly for some, before any monies are paid out.
The panel of judges who adjudicate on the value of awards is primarily made up of Microsoft and Facebook personnel but is complemented by the addition of Chris Evans, a Chromium researcher, Zane Lackey, director of security engineering at Etsy, and Jesse Burns, co-founder of iSec Partners.
This move by Facebook and Microsoft comes at a time when many web-based firms have developed their own programs in order to enhance the security of their products.
Only last month Microsoft paid out its first $100,000 bounty to James Forshaw after he discovered a new type of mitigation bypass technique.
If you are interested in submitting a bug to the HackerOne program then I would suggest that you first read the submission and disclosure guidelines in order to ensure that your efforts are conducted in a responsible and compliant manner.