Open source bug bounty to expand: Facebook

Facebook expects to expand the list of open source programs available for vulnerability rewards under the Internet Bug Bounty program revealed last week.

The program aims to incentivise vulnerability disclosures that have “severe security implications to the public,” according to a website set up for the movement.

In addition to tackling widespread vulnerabilities affecting internet users – which could impact multiple vendors, or those with a significant user base – Microsoft and Facebook also assembled a list of 11 open source projects, making specific information on cash rewards available for each.

Sandbox Escapes, OpenSSL, Ruby, Python, Rails, Apache httpd, PHP, Django, Perl, Phabricator and Nginx, are currently all open source projects highlighted on the hackerone.com website launched for the “Internet Bug Bounty" program.

Bounties range from a minimum $300 reward for eligible Phabricator bugs to a minimum $5,000 reward for novel discoveries impacting Sandbox Escapes – the same starting amount offered for significant disclosures in the program's "internet” category.  

Facebook product security lead Alex Rice said the highlighted open source projects were chosen according to how "critical" the projects were to users.

While Microsoft and Facebook are funding the initial round of bounties, the program is managed by a panel of security experts from the companies and from Google, Etsy and San Francisco-based security firm iSEC Partners.

“We picked a handful of open source projects that we think are critical to a lot of people – for example, OpenSSL, and the Ruby programming language,” Rice said.

He added that the grouping of open source projects featured will likely grow as time progresses.

“We explicitly selected projects with historically strong security track records and an active volunteer community of security contributors, and we will very likely expand the list in the future,” Rice said.

With the new incentive, Rice said that Facebook expects to see “contributors from an incredibly diverse set of backgrounds. The majority of which are not full-time security researchers.”

High-Tech Bridge CEO Ilia Kolochenko said it will be interesting to see who participates in the program long-term, as some of the discoveries rewarded, like major vulnerabilities in OpenSSL, require quite a bit of researching skill.

The company is arguably the security firm that helped spur Yahoo into moving from paltry gift vouchers for bug bounties to a more formalized bug reporting and bounty policy.

“I think it will [consist of] people testing themselves to see if they can hack and test [software] themselves,” Kolochenko said. “Maybe I can try, and if I succeed, excellent.” 

Overall, he said the program would be “good for the safety of the internet.”

James Forshaw, the U.K. researcher who was awarded Microsoft's first $100,000 bounty for reporting a critical mitigation bypass flaw in Windows 8.1, said that he sees the program as having a lofty goal, that sets quite a high bar to reach for many participants.

“These are generally serious vulnerabilities,” Forshaw said, later adding that the move could be beneficial in getting skilled researchers to take a deeper look at software impacting the masses.

“Certainly, if they can get those types of vulnerabilities, that's quite an important thing from a security point of view – potentially for the whole world,” Forshaw said.

This article originally appeared at scmagazineus.com