Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Upload exploits, download cash

Beginner's guide to SSL certificates

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz.

The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web Applications. Second-order vulnerabilities are so called because they involve uploading data to web servers, which pass on the data to security-critical software – allowing holes in the critical software to be exploited by the uploaded payload.

"By analysing reads and writes to memory locations of the web server, we are able to identify unsanitised data flows by connecting input and output points of data in persistent data stores such as databases or session data," the pair wrote in the lauded paper, which revealed 159 second-order vulns in six popular web apps including several critical zero-day holes.

Internet Defense Prize™ committee member and security geek John Flynn said Facebook was considering funding further related research to help spin out detection systems.

"In addition to their impressive results, the committee responded well to their implementation approach," Flynn said.

"The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology."

Bigger and better Internet Defense Prize™ awards will be handed out in future, and Menlo Park encouraged security bods to submit their research. Facebook has dished out more than $3m to security bug hunters, and paid out to the Core Infrastructure Initiative which funded the uncovering of critical security software flaws.

Ultimately, the Internet Defense Prizes™ is just like Microsoft's BlueHat contest: the breakers get the fame while the builders remain in the shadows.

"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn argued. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.