White hat hackers will have new incentive to uncover bugs that affect many general Internet tools and open source components thanks to a new program offering substantial cash rewards for exploit discoveries. Sponsored primarily by Microsoft and Facebook, The Internet Bug Bounty Program will seek to improve the software security of many tools, architectures and specific open source frameworks that have an overarching effect on the broad Internet user experience, offering bounties as high as $5,000 or more.
“We’re trying to broaden the scope a little bit and cover a lot of stuff that doesn’t have a particular vendor behind it or things that all of us benefit from joining together to tackle,” Alex Rice, a security researcher at Facebook, told Ars Technica.
The program will be controlled by Facebook and Microsoft researchers, as well as security professionals from Google, security firm iSec Partners and e-commerce site Etsy, Ars reported.
Protecting the Internet
Two of the main focuses include sandbox escape exploits and any exploits that fall under the general category of “The Internet.”
To be considered for the latter, a vulnerability must manifest itself across a wide range of products or affect a large number of users, and it must be vendor agnostic. It must also be new and have severe negative consequences to the public. The panel noted that it may not always be the best outlet for disclosures, but its interest is in providing a tool for resolving critical vulnerabilities in the Internet, a job that has, in the past, mostly relied on the goodwill of volunteers. Past vulnerability disclosures that would have been rewarded include the 2011 SSL blockwise chosen-boundary attack known as BEAST, which decrypted HTTPS-encrypted data, and a 2008 “DNS Insufficient Socket Entropy Vulnerability,” which allowed a remote attacker to spoof DNS responses.
Sandbox escape exploits that might be considered include those that reliably show how to bypass application sandboxes in applicable versions of Chrome, Internet Explorer, Adobe Reader, Adobe Flash, Windows, Linux and OSX. The bugs must be external to the application – implementation bugs should be reported to the vendor directly – with examples including a Linux kernel vulnerability (CVE-2013-1300) in Google Chrome OS earlier this year. Both sandbox and general Internet bugs are eligible for rewards starting at $5,000 and potentially totaling much more.
Improving open source tools
Another focus of the program will be improving the software security of widely used open source tools, including OpenSSL, Python, Ruby, PHP, Django, Rails, Perl, Phabricator, Nginx and Apache httpd. The announcement coincides with recent research suggesting that open source projects could use more thorough vulnerability disclosure practices, as well as Google’s announcement that it would be starting its own bug bounty program for open source projects including OpenSSL.
As more focus shifts toward improving the software security of these types of tools, there’s an implicit reminder to developers that avoiding vulnerabilities is of paramount concern. Likewise, vendors that don’t have bug bounty programs in place may want to consider other ways they can improve security, such as using secure development lifecycles that include code review and static analysis. While the effects of the Internet Bug Bounty Program have yet to be seen, it will be closely watched by those with a stake in online vulnerability prevention and mitigation.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.