Facebook: Bug bounty program for internet will likely expand open source focus

Share this article:

Facebook, which this week collaborated with Microsoft to introduce “The Internet Bug Bounty” program, expects to expand the list of open source programs the initiative will focus on securing, the company said.

The bug bounty program, revealed Wednesday, aims to incentivize vulnerability disclosures that have “severe security implications to the public,” according to a website set up for the movement.

In addition to tackling widespread vulnerabilities affecting internet users – which could impact multiple vendors, or those with a significant user base – Microsoft and Facebook also assembled a list of 11 open source projects, making specific information on cash rewards available for each.

Sandbox Escapes, OpenSSL, Ruby, Python, Rails, Apache httpd, PHP, Django, Perl, Phabricator and Nginx, are currently all open source projects highlighted on the hackerone.com website launched for the “Internet Bug Bounty" program.

Bounties range from a minimum $300 reward for eligible Phabricator bugs to a minimum $5,000 reward for novel discoveries impacting Sandbox Escapes – the same starting amount offered for significant disclosures in the program's "internet” category.  

On Friday, Alex Rice, product security lead at Facebook, told SCMagazine.com in an email that the highlighted open source projects were chosen according to how "critical" the projects were to users.

While Microsoft and Facebook are funding the initial round of bounties, the program is managed by a panel of security experts from the companies and from Google, Etsy and San Francisco-based security firm iSEC Partners.

“We picked a handful of open source projects that we think are critical to a lot of people – for example, OpenSSL, and the Ruby programming language,” Rice said.

He added that the grouping of open source projects featured will likely grow as time progresses.

“We explicitly selected projects with historically strong security track records and an active volunteer community of security contributors, and we will very likely expand the list in the future,” Rice said.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.