Security researchers laud Microsoft, Facebook bug bounty programs

Efforts should provoke responsible vulnerability research on widely used technologies

Facebook and Microsoft are winning plaudits from security researchers for launching an initiative to offer bounties to bug hunters who discover and report vulnerabilities in widely used products.

Unlike other bug bounty programs, the program announced this week by the duo is not vendor specific. Rather it will reward bug hunters for vulnerabilities they discover in a range of technologies that includes Python, Perl, PHP, Ruby on Rails and Django, Apache and Nginx Web. Also covered are technologies such as the application sandbox mechanisms in Internet Explorer 10, Google Chrome and Adobe Reader.

A website set up under the program allows bug hunters to report vulnerabilities and connect them with response teams capable of addressing the bugs. The site spells out the vulnerability disclosure guidelines, specific disclosure timelines and processes that security researchers must follow to qualify for a reward.

The Internet Bug Bounty program aims to reward security research in areas that will ultimately make the Web more secure overall, according to Facebook and Microsoft.

"Our approach is meant to help reward contributions towards either side of the solution," a spokesman for the program said on Friday. There are two awards for each bug: one for finding it and one for fixing it. The bug's discoverer can double the initial bounty by providing a fix, or another volunteer from the community can step in and claim the "fix" bounty," he said.

Dan Kaminsky, co-founder and chief scientist of security start up WhiteOps, called the effort ground-breaking. "What Microsoft and Facebook are saying is that if software has reached the level of being infrastructure, then it is in everyone's interest to get it fixed" and insure it's secure, he said.

In 2008, Kaminsky reported a DNS cache poisoning vulnerability that affected virtually every domain name server on the Internet and led to an unprecedented synchronized patching effort by Microsoft, Cisco and numerous other technology vendors. Patching the problem involved months of coordinated effort between numerous vendors, security researchers and the U.S. Computer Emergency Response Team (U.S. CERT).

This program will make it easier for security researchers to report vulnerabilities that touch multiple products and technologies and will enable a better response, he said. "What Facebook and Microsoft have done is cut the Gordian Knot," he said.

Reeny Sondhi, director of product security assurance at EMC Corp., called the bug bounty program a worthy initiative.

"We have seen multiple vendors have their own bug bounty programs," Sondhi said. "This is the first time where there have seen a collective intent to come together for security research."

Sondhi called the effort a positive step to encourage responsible vulnerability disclosures affecting critical Internet infrastructure technologies. Many of the technologies covered by the bug bounty program are integrated into products from numerous vendors, Sondhi said.

"At EMC and RSA, we use many of the components that are part of the program," she said. "When we embed some of these technologies in our products, we end up inheriting vulnerabilities [that may exist in them]."

Any effort to address such vulnerabilities is a good thing, she said.

The spokesman for the bug bounty program said that Facebook and Microsoft will fund the initial round of bounties being offered under the initiative. "But this is a broader community effort involving participation from a range of backgrounds," he said. "We're all invested in the security of the Internet, and since we've all seen the positive benefits from bug bounty programs, it was a natural extension for some of the heaviest users of the web to partner up to help protect it."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPNGINXGooglesecurityMicrosoftphpMalware and VulnerabilitiesFacebook

More about Adobe SystemsApacheCERT AustraliaCiscoComputer Emergency Response TeamEMC CorporationFacebookGoogleMicrosoftRSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts