Microsoft and Facebook announce bug bounty
Microsoft and Facebook under the auspices of HackerOne have announced a bug bounty program for the key applications that power the Internet. The bounty covers a wide range of applications from the sandboxes in popular browsers to the programming languages that power the LAMP stack, php, Perl, Ruby and Rails, to the the web servers that serve up the content, nginx and apache and others. Bounties for a successful vulnerability report are from a few hundred dollars to a couple of thousand.
I have, in the past, been on the fence over the value of bug bounties. But the recent spate of zero-day attacks have made me rethink this stance. It is clear that we need to find a way to reduce the number of vulnerabilities in software as early in the software development cycle as possible. I come from a software development background and am painfully aware of how difficult it is to avoid making mistakes in coding, and testing can never exercise all possible ways an application can be abused. I was once of the belief that code coverage tools and dynamic and static analysis tools would close that gap somewhat, but what tools do exist have not met expectations.
Until the unlikely day comes that we can ensure applications are deployed without vulnerabilities perhaps the best we can achieve are bug bounties to help stay a bit ahead of the bad guys.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments
Anonymous
Nov 10th 2013
1 decade ago
Utopian thought, that would interfere with their next released that has numerous undocumented features and slow the flow of $. How many patches did Windows 3.0 and 3.1X have?
But then.. 95,98, ME, 2000, XP, Vista, 7,8 and lets not forget the server side or office products, thousands.
This is what happens when a company is too big to fail, they fail to produce a decent product. Now, if the company was fined with a bounty.. you might see a lot of these issues go away. Oracle ie.. Java... MS, Cisco.. ect.
Anonymous
Nov 10th 2013
1 decade ago