Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Upload exploits, download cash

Facebook security

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz.

The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web Applications. Second-order vulnerabilities are so called because they involve uploading data to web servers, which pass on the data to security-critical software – allowing holes in the critical software to be exploited by the uploaded payload.

"By analysing reads and writes to memory locations of the web server, we are able to identify unsanitised data flows by connecting input and output points of data in persistent data stores such as databases or session data," the pair wrote in the lauded paper, which revealed 159 second-order vulns in six popular web apps including several critical zero-day holes.

Internet Defense Prize™ committee member and security geek John Flynn said Facebook was considering funding further related research to help spin out detection systems.

"In addition to their impressive results, the committee responded well to their implementation approach," Flynn said.

"The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology."

Bigger and better Internet Defense Prize™ awards will be handed out in future, and Menlo Park encouraged security bods to submit their research. Facebook has dished out more than $3m to security bug hunters, and paid out to the Core Infrastructure Initiative which funded the uncovering of critical security software flaws.

Ultimately, the Internet Defense Prizes™ is just like Microsoft's BlueHat contest: the breakers get the fame while the builders remain in the shadows.

"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn argued. ®

Sponsored: 5 critical considerations for enterprise cloud backup