Thursday, February 20, 2014

Internet Bug Bounty issues its first $10,000 reward

One of my side projects is as an adviser and panelist for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 non-profit Internet Bug Bounty (IBB). We recently added Adobe Flash Player as in scope for rewards.

Earlier today, David Rude collected $10,000 for a vulnerability recently fixed in APSB13-28. My thoughts on this are too long to fit into a tweet, so I summarize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here:

  • This shows that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IBB is serious about rewarding research which makes us all safer. $10,000 is a respectable reward by modern bug bounty program standards. It is also shows that when we give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reward range as "$2000 - $5000+", we are serious about that little plus character!
  • David Rude is a hero. This vulnerability was found being exploited in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild. Recent research by Citizen Lab has linked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit to a morally dubious company, targeting of journalists and regimes with poor human rights records. Getting this bug fixed is a service to all internet users, democracy and human rights.
  • The IBB culture is to err on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 side of paying. Note that David did not discover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability himself; he discovered someone else using it. IBB culture is to look mainly at whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r a given discovery or piece of research helped make us all safer. Our aim is to motivate and incentivize any high-impact work that leads to a safer internet for all.
  • The vulnerability was never in fact reported to IBB! Wait, wut? It's true. The vulnerability went via Adobe's standard channels. IBB does not want or need details of unfixed vulnerabilities -- that would violate strict need-to-know handling. Once a public advisory and fix is issued, researchers or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir friends may file IBB bugs to nominate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bugs for reward. Or, for important categories such as Flash or Windows / Linux kernel bugs, panel members keep an eye out for high impact disclosures and nominate on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 researchers' behalf. Because we care.
Join us for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common good of a safer internet. You can help by doing your research in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open, targeting high-impact vulnerabilities or even becoming a new corporate sponsor. If we all pull togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r we can make a difference.