While Facebook and Microsoft already run security bug bounty programs of their own, the two companies are now working together to reward researchers who can find flaws in some of the underlying technologies behind online communications.

The Internet Bug Bounty program will pay a minimum for $5,000 for flaws in sandboxed applications or for bugs in fundamental internet technologies such as DNS and SSL. Lower payouts are offered for spotting problems in Ruby, Python, PHP, Apache, Perl, and other software.

"Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism," the two companies said on the bounty program's website.

"We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers."

To qualify, flaws must found in code that is in widespread use, of serious or critical severity, or be an unusual or novel hack that no one has thought of as yet. Once reported and verified, software providers will have 180 days to fix the problem before any announcement is made of money paid out.

The 10-person judging panel is dominated by Microsoft and Facebook staff, but there will be input from Google's security researcher Chris Evans, director of security engineering at Etsy Zane Lackey, and penetration tester from iSec Jesse Burns.

The contest is open to anyone in the world, except those countries under US trade embargo. There's no age limit, but if you're not yet a teenager then a parent or guardian will have to claim the money for you.

If researchers choose to donate their winnings to charity, the program may increase the end payout as a gesture of altruism. It's a sad fact of life that the baseline payouts on offer here are far less than what weaponized exploits against unpatched security bugs can fetch on the open market – although the Internet Bug Bounty sets no upper limit on payments for some security holes. ®

Related stories

• You don't need a HERO, you need a ZERO. From Google (15 July 2014)

  https://www.theregister.com/2014/07/15/google_project_zero/

• We don't need no STEENKIN' exploit brokers: Let's FLATTEN all bug bounties (23 December 2013)

  https://www.theregister.com/2013/12/23/compulsory_bug_bounties/

• Bug bounty upstart thinks there's BIG MONEY in crowdtesting (22 November 2013)

  https://www.theregister.com/2013/11/22/crowdsource_bug_bounty_scheme/

• Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO (6 November 2013)

  https://www.theregister.com/2013/11/06/truecrypt_audit_is_go/

• Sysadmins! Microsoft now offers $100k for tales of your horrible infections (4 November 2013)

  https://www.theregister.com/2013/11/04/microsoft_expands_bug_bounties_to_give_it_admins_a_chance/

• Google to award bounties for fixing non-Google open source code (10 October 2013)

  https://www.theregister.com/2013/10/10/google_open_source_bug_bounties/

• Microsoft covers Brit who penetrated Windows 8.1 with GOLD (9 October 2013)

  https://www.theregister.com/2013/10/09/windows_bypass_bug_bounty/

• Microsoft hands out $28K to bug-hunters (8 October 2013)

  https://www.theregister.com/2013/10/08/ms_bug_bounty/