Newest bug bounty touts $10K rewards, appeals for help in finding Flash flaws

Vulnerability broker mocks talk of 'heroes' who find bugs

A new entry in the cash-for-bugs business, the Internet Bug Bounty, recently paid out its first $10,000 rewards.

And on Friday, one of the researchers who judges bug report entries issued a plea to other security experts to join the hunt for flaws in Adobe's Flash Player, the media player notorious for its vulnerability volume and frequent patching.

The Internet Bug Bounty (IBB) paid $10,000 each to a pair of security researchers in late February for vulnerabilities they found in Flash, the highest-value rewards from the group since its inception last year.

"This shows that the IBB is serious about rewarding research which makes us all safer," said Chris Evans, a security engineer on the Google Chrome team and one of 11 panelists who mange the program and help vendors set payments. "$10,000 is a respectable reward by modern bug bounty program standards," Evans wrote on his personal blog four weeks ago.

The IBB paid $10,000 to David Rude on Feb. 20 and another $10,000 several days later to Clement Lecigne. Rude works as a security researcher for VeriSign's iDefense, another bug bounty program; Lecigne works for Google in its Swiss office.

IBB launched in November 2013 with a first round of bounty funding coming from Facebook and Microsoft. The latter does not have a regular bug bounty program of its own, although it does pay for broader-scope discoveries of ways to circumvent the defensive technologies baked into Windows. Other than Evans, the IBB panel includes representatives from Adobe, Facebook, iSec Partners, Microsoft and Signal Sciences.

At the time of its debut, IBB was applauded for taking a collective approach to compensating researchers.

Evans was hopeful that IBB would find other sponsors to fund the group's rewards. "The more sponsors we have on board, the more money we can inject into the whitehat community in order to make us all safer," Evans said in an email reply to questions last week. "More sponsors would mean we could cover more products and pay larger rewards."

IBB currently has a 180-day patch-or-publish guideline -- if a vendor is unable or unwilling to fix a reported flaw, details may be made public -- but it may follow HP TippingPoint Zero Day Initiative's (ZDI) lead and reduce that. "We applaud ZDI's efforts to encourage vendors to patch faster, and may follow suit," said Evans, referring to ZDI's recent announcement that it would decrease the timeline to 120 days. "Not everyone has woken up to this, but when a whitehat researcher discloses an issue, there's a reasonable chance that nefarious actors already know about the vulnerability. Therefore, taking a long time to patch puts everyone at risk."

In a post published to his personal blog Friday, Evans called on researchers to help find flaws in Adobe's Flash Player. Previously, Evans had compiled a list of at least 18 Flash vulnerabilities that had been used by attackers since 2010.

He aimed his appeal at "gray hats," a term that has a variety of definitions in security, but that Evans used to describe researchers who uncover vulnerabilities to sell to government and law enforcement intelligence agencies, who presumably use them to hack targets.

"When you entered the greyhat world, they told you you'd be helping catch terrorists, didn't they?" Evans wrote. "Recent and ongoing revelations show that no, in fact, the biggest use of your work was enabling mass surveillance, the compromise of foreign nations and even the compromise of foreign corporations. If you want to make an actual difference, see above for where defensive help is needed."

That "see above" referred to the pitch for help in rooting out Flash vulnerabilities so that Adobe would patch them.

Evans' appeal didn't go unanswered: Others, including those from firms that market vulnerabilities to government and law enforcement, took to Twitter to bash Evans' appeal, especially his label of "hero" for researchers who have found flaws in Flash Player.

"If Googlers think that reporting fuzzed crashes/0days make them 'heroes,' Vupen is then 'superhero' with all 0days we reported at #Pwn2Own," Chaouki Bekrar, CEO of French vulnerability research lab and zero-day seller Vupen, said on Twitter Saturday.

A team from Vupen exploited vulnerabilities in Adobe Flash, Adobe Reader, Chrome, Microsoft's Internet Explorer and Mozilla's Firefox at the Pwn2Own hacking contest earlier this month, winning $400,000 for its work.

At Pwn2Own, researchers are required to disclose vulnerabilities to ZDI, which in turn hands the information to vendors.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingVeriSignGoogleMicrosoftsecurityMalware and VulnerabilitiesExploits / vulnerabilitiesIBBFacebook

More about Adobe SystemsAppleFacebookGoogleHPiDefenseMicrosoftMozillaTippingPointTippingPointTopicVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place