Feeds

Microsoft, Facebook: We'll pay cash if you can poke a hole in the INTERNET

New bug-hunting program to shore up security across the whole damn web

Security for virtualized datacentres

While Facebook and Microsoft already run security bug bounty programs of their own, the two companies are now working together to reward researchers who can find flaws in some of the underlying technologies behind online communications.

The Internet Bug Bounty program will pay a minimum for $5,000 for flaws in sandboxed applications or for bugs in fundamental internet technologies such as DNS and SSL. Lower payouts are offered for spotting problems in Ruby, Python, PHP, Apache, Perl, and other software.

"Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism," the two companies said on the bounty program's website.

"We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers."

To qualify, flaws must found in code that is in widespread use, of serious or critical severity, or be an unusual or novel hack that no one has thought of as yet. Once reported and verified, software providers will have 180 days to fix the problem before any announcement is made of money paid out.

The 10-person judging panel is dominated by Microsoft and Facebook staff, but there will be input from Google's security researcher Chris Evans, director of security engineering at Etsy Zane Lackey, and penetration tester from iSec Jesse Burns.

The contest is open to anyone in the world, except those countries under US trade embargo. There's no age limit, but if you're not yet a teenager then a parent or guardian will have to claim the money for you.

If researchers choose to donate their winnings to charity, the program may increase the end payout as a gesture of altruism. It's a sad fact of life that the baseline payouts on offer here are far less than what weaponized exploits against unpatched security bugs can fetch on the open market – although the Internet Bug Bounty sets no upper limit on payments for some security holes. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.