Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Upload exploits, download cash

Providing a secure and efficient Helpdesk

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz.

The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web Applications. Second-order vulnerabilities are so called because they involve uploading data to web servers, which pass on the data to security-critical software – allowing holes in the critical software to be exploited by the uploaded payload.

"By analysing reads and writes to memory locations of the web server, we are able to identify unsanitised data flows by connecting input and output points of data in persistent data stores such as databases or session data," the pair wrote in the lauded paper, which revealed 159 second-order vulns in six popular web apps including several critical zero-day holes.

Internet Defense Prize™ committee member and security geek John Flynn said Facebook was considering funding further related research to help spin out detection systems.

"In addition to their impressive results, the committee responded well to their implementation approach," Flynn said.

"The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology."

Bigger and better Internet Defense Prize™ awards will be handed out in future, and Menlo Park encouraged security bods to submit their research. Facebook has dished out more than $3m to security bug hunters, and paid out to the Core Infrastructure Initiative which funded the uncovering of critical security software flaws.

Ultimately, the Internet Defense Prizes™ is just like Microsoft's BlueHat contest: the breakers get the fame while the builders remain in the shadows.

"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn argued. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.