Microsoft and Facebook start Internet-wide bug bounty program

Dubbed The Internet Bug Bounty, it is sponsored by the two Internet giants and is aimed at anyone who discovers vulnerabilities in a series of open source programming languages, web apps, software, app frameworks, HTTP servers, as well as the OpenSSL implementation, Chrome, IE, Adobe Reader and Flash sandboxes, and the “Internet” in general.

To participate, the hackers / submitters will have to create an account that will require them to enter a name (or pseudonym), email address, username and password, but that doesn’t mean they have to disclose their identity. Also, the site () logs data that can be used to identify the user such as IP address, device, OS, browser information, and more, but the access logs are deleted after 180 days. The program’s privacy policy can be viewed here.

On their end, the security and response teams from the companies and organisations whose products are affected are barred from threatening, punishing or report to law enforcement the hackers who responsibly disclose the vulnerabilities.

Once a bug is reported – and in order to become eligible for a prize, it’s not necessary to submit PoC exploit code for it – the individual product response teams will be notified of it automatically and have 30 days to fix the bug and 180 days to publicly disclose its existence. If they don’t respond to the initial report in 7 days, the bug report will be made public 30 days after the program’s initial contact attempt.

The minimum amount paid for a bug depends on the product which it affects. For example, for the “Internet” is $5,000, for OpenSSL is $2,500, for Perl is $1,500, while for Nginx is $500. Maximum amounts are not determined, and could be considerable – it all depends on the severity of the found bug and on the quality of the submission.

This will be determined by the individual response teams in cooperation with the researchers in the bug bounty program’s panel (mostly from Facebook and Microsoft, but one from Google, iSec Partners and Etsy as well).

The program is open to hackers of all ages, but submitters younger than 13 will need their parent’s or legal guardian’s help to collect the prize. Also, individuals on US embargo lists or in countries currently on US embargo lists are barred from submitting.

More details about the program can be found here, the Disclosure Policy here, and the details about what each specific product requires in view of qualifications for the bounties can be checked from the program’s site’s main page.

“Our collective safety is only possible when public security research is allowed to flourish,” the program states. “Some of the most critical vulnerabilities in the internet’s history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.”