Search results for: bug bounties

Bug bounties are cheaper than hiring full-time bug hunters

Software companies that have instituted bug bounties are on the right track, a recently published report by researchers of the University of California, Berkeley computer science department has shown. Vulnerability rewards programs (VRPs) are 2 to 100 times more cost-effective than hiring expert security researchers to find vulnerabilities, they say, and by comparing the Chrome and Firefox VPRs, they have pointed out why the former is more effective than the latter. In order to perform … More

Week in review: Microsoft bug bounties, NSA, GCHQ surveillance, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, interviews, articles and reviews: Account takeover attempts have nearly doubled ThreatMetrix announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. British GCHQ spied on G20 delegates to gain advantage in talks The British GCHQ has monitored computers and intercepted phone calls made by the foreign participants of two G20 summit … More

Microsoft to pay up to 150k for vulnerabilities

After years of saying that bug bounties are not the best way to go about getting crucial product vulnerability information in the long run, Microsoft has done an about-face and has announced three separate bug bounties. Starting with June 26, the company will be rewarding researchers with up to $100,000 for discovering and reporting “truly novel” exploitation techniques against protections built into the latest version of their OS (currently Windows 8.1 Preview), an additional $50,000 … More

Google ups (some) bug bounties

Google has once again decided to raise the sums that researchers can earn by offering information about bugs in the company’s web services and properties (YouTube, Blogger, Orkut, Google Search, and so on). Information about cross-site scripting (XSS) flaws is now worth $7,500 (used to be $3,133.7), that on Gmail and Google Wallet bugs is now $5,000 (previously $1,337). XSS vulnerabilities on other properties, which were previously worth $500, are now rewarded with $3,133.7, … More

Mega pays out first batch of bounties, its crypto still intact

Mega, the file hosting service and successor to Megaupload founded by Kim Dotcom, recently instituted a bug bounty program that should help keep the service and its users safe from a variety of security relevant or design flaws. They offered rewards of up to 10,000 Euros per bug, depending on its complexity and impact potential, and have also offered the maximum reward for anyone who can break Mega’s open source encryption scheme. A little over … More

Chrome 22 released, researchers awarded $30K in bug bounties

Chrome v22 has been released, and with it over 40 vulnerabilities – 15 of which high-severity – have been closed. Google’s reward program for the responsible disclosure of vulnerabilities in the company’s assets is obviously a great success for Google, but also for independent vulnerability hunters such as Sergey Glazunov, who has been one of the graters contributors since the start of the bug bounty program in 2010. This time he managed to earn himself … More

Interview with Joe Sullivan, CSO at Facebook

Joe Sullivan is the Chief Security Officer at Facebook, where he manages a small part of a company-wide effort to ensure a safe internet experience for Facebook users. He and the Facebook Security Team work internally to develop and promote high product security standards, partner externally to promote safe internet practices, and coordinate internal investigations with outside law enforcement agencies. Being the CSO of Facebook certainly puts you into the spotlight. How have your prior … More

Week in review: Mobile drive-bys, Facebook bug bounty and Operation Shady RAT

Here’s an overview of some of last week’s most interesting news and articles: Facebook introduces bug bounty program Facebook has decided to follow in Google’s and Mozilla’s steps and institute a bug bounty program rewarding the responsible disclosure of security vulnerabilities in the social networking platform. Mass iFrame injection attack now counts millions of compromised web pages Armorize researchers have been keeping an eye on the unfolding situation and point out that the attackers are … More

Microsoft offers $250,000 prize for innovative security technology

Microsoft may not believe in bug bounties, but it’s not adverse to paying for knowledge when it comes to ingenious defensive solutions. The company’s Trustworthy Computing Group announced the BlueHat Prize competition to reward security researchers with more than $250,000 in cash and prizes for developing innovative, new computer security protection technology. The top three winners in the BlueHat Prize competition will earn more than $250,000 in cash and prizes: $200,000 for the grand prize, … More

Facebook introduces bug bounty program

Facebook has decided to follow in Google’s and Mozilla’s steps and institute a bug bounty program rewarding the responsible disclosure of security vulnerabilities in the social networking platform. “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against … More

Security vendor launches bug bounty

Barracuda Networks announced their Security Bug Bounty Program, an initiative that rewards researchers who identify and report security vulnerabilities in the company’s security product line. In the past, several technology companies have announced bug bounties; however, Barracuda Networks is the first security vendor to offer such a bold program, to reward researchers for identifying vulnerabilities in its own products. The following security products are eligible: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda Web … More

No more free bugs?

The recent announcements from Google and Mozilla that revealed their intent of paying up to $3,133.7 and $3,000 (respectively) for an eligible vulnerability discovered by outside researchers, has been welcome news to all those security researchers who would like to get more than a mention of their name as thanks for discovering a vulnerability that could affect millions of people. But, other big companies are still not offering to pay – Apple, Adobe, Microsoft and … More