Fwd: [IP] Now there's a bug bounty program for the whole Internet

"Eggert, Lars" <lars@netapp.com> Thu, 07 November 2013 13:11 UTC

Return-Path: <lars@netapp.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C248011E8153 for <ietf@ietfa.amsl.com>; Thu, 7 Nov 2013 05:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.28
X-Spam-Status: No, score=-6.28 tagged_above=-999 required=5 tests=[ADVANCE_FEE_2=1.234, AWL=-0.912, BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1PeMG6-HL8lO for <ietf@ietfa.amsl.com>; Thu, 7 Nov 2013 05:11:08 -0800 (PST)
Received: from mx12.netapp.com (mx12.netapp.com []) by ietfa.amsl.com (Postfix) with ESMTP id BDEE911E8106 for <ietf@ietf.org>; Thu, 7 Nov 2013 05:11:07 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.93,652,1378882800"; d="asc'?scan'208,217"; a="111461745"
Received: from vmwexceht05-prd.hq.netapp.com ([]) by mx12-out.netapp.com with ESMTP; 07 Nov 2013 05:11:07 -0800
Received: from SACEXCMBX01-PRD.hq.netapp.com ([]) by vmwexceht05-prd.hq.netapp.com ([]) with mapi id 14.03.0123.003; Thu, 7 Nov 2013 05:11:07 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: IETF <ietf@ietf.org>
Subject: Fwd: [IP] Now there's a bug bounty program for the whole Internet
Thread-Topic: [IP] Now there's a bug bounty program for the whole Internet
Thread-Index: AQHO269C0lf4CmA600q14gzZC0fEQg==
Date: Thu, 07 Nov 2013 13:11:06 +0000
Message-ID: <8D116B07-B71B-4F1A-A8CA-92865D9CFA34@netapp.com>
References: <CAKx4triGF6X=1RGMhhxq-a_iySck1WAd6y5vW=-Rk_kHzTXiZg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_255EE452-17A3-4254-BD55-122DE46A7816"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 13:11:11 -0000

Begin forwarded message:

> From: Dave Farber <dave@farber.net>
> Subject: [IP] Now there's a bug bounty program for the whole Internet
> Date: 7 Nov 2013 3:05:28 PST
> To: ip <ip@listbox.com>
> Reply-To: <dave@farber.net>
> ---------- Forwarded message ----------
> From: Dewayne Hendricks 
> Date: Thursday, November 7, 2013
> Subject: [Dewayne-Net] Now there's a bug bounty program for the whole Internet
> To: Multiple recipients of Dewayne-Net <dewayne-net@warpspeed.com>
> Now there’s a bug bounty program for the whole Internet
> Sponsored by Microsoft and Facebook, program pays researchers big cash rewards.
> By Dan Goodin
> Nov 6 2013
> <http://arstechnica.com/security/2013/11/now-theres-a-bug-bounty-program-for-the-whole-internet/>
> Microsoft and Facebook are sponsoring a new program that pays big cash rewards to whitehat hackers who uncover security bugs threatening the stability of the Internet at large.
> The Internet Bug Bounty program, which in some cases will pay $5,000 or more per vulnerability, is sponsored by Microsoft and Facebook. It will be jointly controlled by researchers from those companies along with their counterparts at Google, security firm iSec Partners, and e-commerce website Etsy. To qualify, the bugs must affect software implementations from a variety of companies, potentially result in severely negative consequences for the general public, and manifest themselves across a wide base of users. In addition to rewarding researchers for privately reporting the vulnerabilities, program managers will assist with coordinating disclosure and bug fixes involving large numbers of companies when necessary.
> The program was unveiled Wednesday, and it builds off a growing number of similar initiatives. Last month, Google announced rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages. Additionally, Google, Facebook, Microsoft, eBay, Mozilla, and several other software or service providers pay cash in return for private reports of security vulnerabilities that threaten their users.
> "We're trying to broaden the scope a little bit and cover a lot of stuff that doesn't have a particular vendor behind it or things that all of us benefit from joining together to tackle," Alex Rice, a security researcher at Facebook, told Ars.
> "We've got a lot of customers in common," Microsoft security researcher Katie Moussouris added. "It makes sense for us to join together and make the Internet safer for everybody."
> One focus of the program is defects in so-called security sandboxes. Built into programs including the Chrome and Internet Explorer browsers and Adobe's Reader and Flash programs, the measures are designed to separate potentially dangerous content downloaded from the Internet from sensitive operating-system functions, such as those that access data stored on a hard drive or install new programs. As sandboxes have become more widely used, the value of hacks that allow attackers to bypass sandbox protections have become increasingly valuable, especially when they work across multiple OSes or applications.
> The program will pay rewards for sandbox escapes that typically manifest as a vulnerability in an OS kernel or an implementation error. It will also pay minimum bounties of $5,000 for significant vulnerabilities that affect the Internet at large. Examples include an exploit dubbed BEAST from 2011 that silently decrypted HTTPS-encrypted data passing between a Web server and end user, a devastating bug in the Debian distribution of Linux that in 2008 produced easy-to-break cryptography keys, and another vulnerability from 2008 in the Internet's digital certificate system that allowed attackers to forge counterfeit credentials needed to impersonate virtually any website that relied on the security measure.
> [snip]
> Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
> Archives  | Modify Your Subscription | Unsubscribe Now