Internet Bug Bounty plans rewards for new tools to find vulnerabilities

Rewards for bug-hunting security tools could reduce zero-day software flaws

A program that pays researchers for information on software vulnerabilities, the Internet Bug Bounty (IBB), will now also reward those who develop tools and techniques to spot bugs.

The idea is to expand the range of tools organizations can use to find security flaws in their software before hackers do and sell that valuable information, wrote Katie Moussouris, chief policy officer for HackerOne, one of IBB's sponsors, along with Facebook and Microsoft.

"In the end, the tug of war between attackers and defenders will always exist," Moussouris wrote in a blog post Tuesday. "How we structure incentives toward making offense more expensive for attackers and giving more defenders and advantage is the question."

There's a thriving shady market for security vulnerabilities. Governments, including the U.S., are known to pay large sums for information on security flaws that can be used for intelligence operations.

Independent researchers can make far more money selling vulnerability information to deep-pocketed buyers rather than reporting them to companies. Although many such as Facebook and Google offer rewards for information, the companies can't match state-sponsored organizations or cybercriminal groups.

Moussouris is scheduled to present research conducted with MIT and Harvard University researchers at the RSA security conference in San Francisco next week. It looks at the motivations behind selling software vulnerabilities, particularly those known as zero-days.

Zero-days are considered the most dangerous software problems since attackers are actively using them to compromise systems but there aren't patches available.

Their study sought to find effective methods to reduce the pool of zero-day vulnerabilities for sale. While bug reward programs run by companies have been effective, "the opportunity to sell to both offense and defense markets has increased," Moussouris wrote.

The best chance for organizations trying to defend their software is to have more tools to scan their own software.

"Example tools include but are not limited to fuzzers, debugger plugins, and especially ways to help determine exploitability of bugs more efficiently," she wrote.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityHackerOneExploits / vulnerabilitiesFacebook

More about FacebookGoogleHarvard UniversityMicrosoftMITRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts