Bounty hunters are often scorned by people as predators, but a new kind of searcher is sniffing around for a reward– the software bug hunter.
Microsoft Corp. and Facebook are sponsoring a new bug bounty program to give cash to those who hack, find and report vulnerabilities in software that supports the Internet stack. Targets include the PHP, Python and Perl programming languages and the open source Apache frameworks.
Some of the targets carry explicit rewards: There’s a minimum $5,000 available finding for an Internet-related vulnerability such as the BEAST SSL blockwise chose-boundary attack. For this reward vulnerabilities have to be widespread across a wide range of products or impacts a large number of users, be severe and be novel.
The minimum $1,500 reward for a Python-related bug has to completely compromise the system’s integrity or confidentiality – think of arbitrary code execution.
For some bugs there’s an extra reward for coming up with a patch.
Applicants have to be the first person to file a bug report for a particular vulnerability, the vulnerability is confirmed to be a valid security issue and the applicant has complied with the guidelines. One is to do no harm to data or privacy.
The amount of each bounty payment will be determined by the response team or an independent panel will set the bounty.
A 10-person panel of experts including four each from Microsoft and Facebook and one from iSEC Partners will set up the response teams.