The trend of paying for bugs is certainly catching on, the most recent entrant to the field is Deutsche Post the German postal service. They announced this week a security cup for their new online secure messaging service. The bug bounty trend has resurfaced recently with Mozilla increasing its bounty to $3000 and Google increasing their offering shortly after that too.
Teams will have seed money and will be awarded additional bounties for major and minor bugs. There’s quite a lot of money up for grabs if you count the seed money + find at least 2 critical bugs and a few minor bugs you could walk away with quite a fat stash.
Deutsche Post, the successor to the German federal postal service, will offer bounties for bugs researchers find in its E-Postbrief secure message service, the company announced this week.
The firm, which also operates the DHL overnight delivery service, will kick off a contest in October after it pre-approves research teams that apply for what it’s calling the Deutsche Post Security Cup. Each team will be seeded with €3,000 ($3,800), but must use their own tools and agree to not touch any private data they come across during their work. The teams must also keep quiet about any vulnerabilities they find until December, when Deutsche Post will award prizes and reveal the bugs it’s patched.
You can look at this two ways really, on one hand this is a good initiative meaning the system will be secured in some way. Of course that’s entirely dependant on the skill level of the people who enter the ‘cup’. But judging by the bounty amounts I’d say they are likely to attract a fairly decent crowd.
On the other hand you could say this is a form of crowd-sourcing, they are avoiding paying big bucks to a proper security company for an audit and farming it out under the guise of a bounty scheme to whoever shows up.
Bounties of €6,000 ($6,400) and €1,000 ($1,300) will be paid for major and minor bugs, respectively, with a four-member jury classifying the reported vulnerabilities. The jury includes Jennifer Granick, the civil liberties director of the Electronic Frontier Foundation (EFF) and Thorsten Holz, the co-founder of the German Honeynet Project, which places vulnerable systems on the Internet to collect malware.
Bug bounties and prizes gained momentum this summer after Mozilla and Google both hiked the rewards they pay to researchers who report vulnerabilities in Firefox and Chrome, respectively. Shortly after the bounty boosts, the long-running Zero Day Initiative (ZDI) bug payment program run by HP TippingPoint announced new rules, including a six-month deadline for patching reported problems.
More information about Deutsche Post’s bug contest can be found on its Web site.
I hope all findings are publicly published so we can really judge the value of the outcome and what kind of opportunity this represents for corporations who are looking for security solutions. It could bring about a whole new breed of ‘bounty hackers’ that solely exist (professionally) on these kind of offerings.
Plus the fact they do actually have some well-known judges who are credible and known in the industry. It seems like the whole bounty scheme could be heating up.
Source: Network World
- Fitbit Vulnerability Means Your Tracker Could Spread Malware
- OWASP WebGoat – Deliberately Insecure Web Application
- WinRAR Vulnerability Is Complete Bullshit
- Google Expands Pwnium Year Round With Infinite Bounty
- Mac owned on 2nd day of Pwn2Own hack contest
- 2007 Hacker Reverse Engineering Challenge
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 232,339 views
- AJAX: Is your application secure enough? - 119,740 views
- eEye Launches 0-Day Exploit Tracker - 85,316 views