Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft and Facebook announce bug bounty - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft and Facebook announce bug bounty

Microsoft and Facebook under the auspices of HackerOne have announced a bug bounty program for the key applications that power the Internet.  The bounty covers a wide range of applications from the sandboxes in popular browsers to the programming languages that power the LAMP stack, php, Perl, Ruby and Rails, to the the web servers that serve up the content, nginx and apache and others.  Bounties for a successful vulnerability report are from a few hundred dollars to a couple of thousand.

I have, in the past, been on the fence over the value of bug bounties.  But the recent spate of zero-day attacks have made me rethink this stance.  It is clear that we need to find a way to reduce the number of vulnerabilities in software as early in the software development cycle as possible.  I come from a software development background and am painfully aware of how difficult it is to avoid making mistakes in coding, and testing can never exercise all possible ways an application can be abused.  I was once of the belief that code coverage tools and dynamic and static analysis tools would close that gap somewhat, but what tools do exist have not met expectations.

Until the unlikely day comes that we can ensure applications are deployed without vulnerabilities perhaps the best we can achieve are bug bounties to help stay a bit ahead of the bad guys.  

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler
The problem that I see with bug bounties is that they pay so much less than the going price for zerodays on the black market. This means that the people who would be motivated for the money instead of the fame are more likely to continue to sell to the highest bidder. Those that would collect the bug bounties probably would have done it for free anyway. We still have a problem. This is not to say that honest whitehats do not appreciate getting a little extra lunch money, but the bug bounty program is not likely to increase the reporting of such bugs by very much unless the payoff is competitive.
Moriah

133 Posts
"It is clear that we need to find a way to reduce the number of vulnerabilities in software as early in the software development cycle as possible."

Utopian thought, that would interfere with their next released that has numerous undocumented features and slow the flow of $. How many patches did Windows 3.0 and 3.1X have?

But then.. 95,98, ME, 2000, XP, Vista, 7,8 and lets not forget the server side or office products, thousands.

This is what happens when a company is too big to fail, they fail to produce a decent product. Now, if the company was fined with a bounty.. you might see a lot of these issues go away. Oracle ie.. Java... MS, Cisco.. ect.
ICI2I

63 Posts

Sign Up for Free or Log In to start participating in the conversation!