The Internet Bug Bounty (IBB), a project aimed at finding and fixing vulnerabilities in core internet infrastructure and free open source software, has announced that it will be giving out rewards for critical vulnerabilities in core infrastructure data processing libraries.
The software packages in scope are:
For the moment, bug bounties will be given out only for reports that flag “vulnerabilities that demonstrate unambiguous remote code execution,” the exploitation of which “can be easily, actively, and reliably achieved.”
Why this restriction? Sadly, many important open source projects are understaffed and overworked.
“The main reason we have extra stipulations on this particular program is that some of the projects that have signed up were worried about being inundated with low-severity issues that didn’t actually do much to improve security. So, we started with a fairly high bar to emphasize the main goal of looking for critical vulnerabilities (i.e., RCE),” HackerOne’s Reed Loden, a member of IBB’s panel, explained.
The found RCE vulnerabilities must be first privately disclosed to the maintainers of the various projects in scope, otherwise the researchers won’t be eligible for receiving a bounty. Only when the vulnerability has been validated, accepted, and publicly disclosed by the project maintainers can the researchers submit it to the IBB and claim the reward.
The minimum bounty amount has been set at $500 – there is no indication what the maximum could be.
Other well-known projects fit into the category of “data processing” can participate to this bug bounty program, the IBB said, urging their maintainers to reach out to them to be added to the list.