Microsoft and Facebook Launch Internet Bug Bounty Program

An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."

If you can't beat them ..

[arisvega]

.. bribe them.

Re:If you can't beat them ..

[fuzzyfuzzyfungus]

.. bribe them.

Strictly speaking, unless the bounties get substantially bigger than the minimum, and relatively quickly, it's more along the lines of 'If you can't beat them, see if you can provide additional motivation to people already on your side; but perhaps not bothering to focus on the problems you care about."

Re:If you can't beat them ..

If you can't beat them ..
.. bribe them.

Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

Does anyone know where we can go to discuss real tech?

Re:If you can't beat them ..

[behrooz0az]

phoronix, theregister, arstechnica, there is a whole plethora of sites for real tech.I'm getting tired of all M$ and facebook things too.
If I liked facebook I'd be there already.

Re:If you can't beat them ..

[jones_supa]

Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

Does anyone know where we can go to discuss real tech?

I am but glad that Microsoft stuff is occasionally featured on the Slashdot front page too. It is as important company as Apple, Samsung, Red Hat, Intel or whatever. I want to hear about MS too: both their successes and embarrassing mistakes.

However in addition to Slashdot I also read a site called InfoQ, they have pretty good stuff too.

Re:If you can't beat them ..

fuck off you elitist bastard.

Mistake

[Rosco+P.+Coltrane]

The minimum fine for hacking any component of the Internet is $5,000

There, fixed that for you.

Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

Re:Mistake

The minimum fine for hacking any component of the Internet is $5,000

There, fixed that for you.

Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

No, using the word hacking and automatically associating it with illegal activity is the true crime here.

And I want to start threatening it at a criminal level (in the same way someone would decree libel or slander) in order to get that fucking point across.

The only difference between "hacking" and "research and development" is legality and/or sponsorship (Government would be in the "or" category, for they don't give a fuck about laws. Ref. NSA).

Re:Mistake

[Joining+Yet+Again]

AC [from basement]: Mooooooom they're not using English words they way I want them to be used.

Mom: Why don't you call the Académie anglaise?

AC: Moooom ur SOOOOOO dumb there isn't an Académie anglaise you see English is a descriptive language GOD THIS IS TYPICAL PUBLIC SCHOOL AMERICAN EDUCATION...

Mom: Erm, you went to a publi.. never mind, your sarcasm/nuance detector is clearly broken. OK, so given that words evolve, what do you think we can do about it?

AC: Moooooooooooom call my lawyer it's slander!!!!!

Mom: You're a 25 year old manchild, you don't have a lawyer.

AC: Mooooooooooom call the police!!!

Mom: Why can't you?

AC: Moooooooooom I don't like using the 'phone, people are mean to me, they say I'm a criminal cos I'm a hacker. It's not my fault I'm more intelligent than them :'(.

Mom: There there, son.

AC: Bitty.

Mom: Not now, son, we're doing a piece for Slashdot.

AC: But, mom, bitty.

Mom: Oh, all right, sweety, come here.

* Mom takes out breast and AC begins suckling.

Re:Mistake

[VortexCortex]

The minimum fine for hacking any component of the Internet is $5,000

There, fixed that for you.

Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

No, using the word hacking and automatically associating it with illegal activity is the true crime here.

And I want to start threatening it at a criminal level (in the same way someone would decree libel or slander) in order to get that fucking point across.

The only difference between "hacking" and "research and development" is legality and/or sponsorship (Government would be in the "or" category, for they don't give a fuck about laws. Ref. NSA).

I agree with you. However, it's too fucking late.

They control the discourse, and the media is not your friend. You should have considered them the enemy long ago. Now it's too late. The system is full of maliciousness. I'm afraid you'll have to wipe the platters, reboot and rebuild from a known good state.

Re:Mistake

[wonkey_monkey]

No, using the word hacking and automatically associating it with illegal activity is the true crime here.

The only difference between "hacking" and "research and development" is legality

Make your mind up.

The Internet?

Hacking the Internet? Must be a new form of hacking the Gibson.

Re:The Internet?

https://hackerone.com/internet

Sounds like protocol vulnerabilities and common implementation vulnerabilities would fall under this section.

Re:The Internet?

This does a redirect to a page complaining that I have JavaScript disabled. What's asinine for it is that the text would otherwise just show fine (it shows up shortly before the redirect kicks in). And since it's a true redirect (different URL), I cannot look at the source.

(And for some reason the "disallow redirects" option on the Firefox tab doesn't work, so no chance to get the text that way.)

Re:The Internet?

Hack the planet, baby, the planet!

Captcha: DISOBEY

Re:The Internet?

[magic+maverick+]

You just need to hit stop early enough. It is quite strange though. The text:

The Internet

Hack all the things.

        Bounties provided by IBB

Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Bounty Panel will award public research into vulnerabilities with the potential for severe security implications to the public.

Simply put: hack all the things, send us the good stuff, and we'll do our best to reward you.
The Fine Print

To qualify, vulnerabilities should meet most of the following criteria:

        Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
        Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
        Be severe: vulnerability has extreme negative consequences for the general public.
        Be novel: vulnerability is new or unusual in an interesting way.

The Panel will gladly assist with the coordinated disclosure of any potential vulnerabilities. However, we recognize that we may not be the most effective avenue in all circumstances. We will gladly consider rewards for vulnerabilities that have been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.

It's important to keep in mind that not all submissions will qualify for a bounty. The decision to award a bounty is entirely at the discretion of the Internet Bug Bounty Panel.
Examples

We provide the following examples of publicly disclosed vulnerabilities that we would have rewarded:

        SSL blockwise chosen-boundary attack, aka BEAST
        DNS Insufficient Socket Entropy Vulnerability
        Debian predictable PRNG
        Sotirov, et al. MD5 Collision attack against PKI

Bounty Guidance

        Minimum reward of $5,000 with significantly higher rewards granted at the Panel's discretion

Re:The Internet?

OK, I now managed to read the page by saving it to a file, commenting out the noscript-redirect (it was a meta refresh inside a noscript tag), and opening the modified file.

Captcha: fiddle

Any component? Wohoo! Free money!

The minimum bounty for hacking any component of the Internet is $5,000.

My Internet-facing router is a "component of the Internet" and I have already hacked it.

Pay up, bitches!

Simple very effective solution

[jkrise]

Redirect facebook.com and microsoft.com and all their servers and namesakes to 0.0.0.0 or to 127.0.0.1 in the root DNS servers. Problem solved.

Re:Simple very effective solution

Works for me. Can't do this for microsoft sites because of my job but here's the full list of Facebook sites I've blocked. Pretty sure that's all of them.

facebook.com
fbcdn.net
fbcdn.com

Re:Simple very effective solution

root DNS servers != your local hosts file

Re:Simple very effective solution

[Thanshin]

Unless the Root DNS server has acquired conscience and is posting as AC on Slashdot.

Re:Simple very effective solution

Unless the Root DNS server has acquired conscience and is posting as AC on Slashdot.

No one with a conscience would post as an AC on /.

Internet you say?

Watch out Gopher, I'm coming for you!

Dangers....

Hope they don't brake the internet.... Althou no one hardly ever uses it anymore since the web 2.0 came along!

Re:Dangers....

I only brake for homophones.

in a strange twist of fate

[nimbius]

today two companies I despise, microsoft and facebook, came together to offer me not a job with dental and health benefits, but what most would conclude is a pittance for securing something as arbitrary and vast as "the internet."

the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security. Until such time as megacorps get their milton freeman head out of their ayn rand arse, im inclined to sell to the highest bidder because $5000 bounties dont pay my mortgage.

Re:in a strange twist of fate

[fuzzyfuzzyfungus]

Hmm... You have a point there.

Incidentally, I bet it would be cheaper to buy a law declaring people who sell exploits on the black market to be criminally responsible, as 'conspirators', for any and all subsequent use of them, thus encouraging people to remain in our sharecropper bounty system, than it would be to actually pay the workers more...

Re:in a strange twist of fate

i totally agree 100%. while languages such as php may be badly designed (lack of transistivity as an example), the time, effort and dedication required to find something as non-trivial as "typically Arbitrary Code Execution or equivalent impact" significantly outweighs the reward.

furthermore from the website

"The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well."

this is bogus especially when you consider the case months ago in which a hacker from pakistan had to post to zuckerbergs wall to finally receive attention. project maintainers are quick to turn "bugs" into "features" and do not like to be embarrassed.

in short, this program is going nowhere. as far as white hats are concerned, it is only useful for security researchers already in the field and working a well-paying job.

Re:in a strange twist of fate

Paying the mortgage with cash from the black market sounds like a great idea! Until one fine sunny Tuesday morning the doorbell rings and it's the postal service with a certified letter from the IRS.

Re:in a strange twist of fate

[auric_dude]

Just wondering why Microsoft and Facebook let code out of the door that has these defects, is it an altruistic gesture to foster and finance an informal quality control and code testing stratum of society?

Re:in a strange twist of fate

[mlw4428]

The difference is that with the black market one could fine oneself without need of a mortgage as one will have their housing provided by a state or federal penitentiary.

Re:in a strange twist of fate

[mlw4428]

Oops -- should say "find", not fine.

Re:in a strange twist of fate

[h4rr4r]

You have to pay taxes on all income, including the illegal kind. So there is no problem with paying your mortgage that way.

Re: in a strange twist of fate

[UnknownSoldier]

I dispise MS and Facebook as much as the next guy but show me bug-free code and I have a bridge I'd like to sell you. However your point about the absymal lack of Quality Assurance is with merit considering the resources these have to do a better job of testing.

Re:in a strange twist of fate

[Mr_Silver]

the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security.

So what? It's well known that crime always pays significantly better than being honest - unless, of course, you get caught.

A smash and grab robber in a Rolex store is going to make more $ per hour than your server in McDonalds or even a white collar worker.

However for the vast majority of people, this is a complete non-issue because their moral compass is firmly intact.

Re: in a strange twist of fate

secure != bug-free

Sure, bug-free code may also be secure code (unless, say, it's completely bug-free implementation of a flawed protocol), but you can also have secure code that has bugs (ie, doesn't behave exactly as desired but that misbehaviour is not exploitable).

Re:in a strange twist of fate

the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security.

So what? It's well known that crime always pays significantly better than being honest - unless, of course, you get caught.

A smash and grab robber in a Rolex store is going to make more $ per hour than your server in McDonalds or even a white collar worker.

However for the vast majority of people, this is a complete non-issue because their moral compass is firmly intact.

1. The risk of selling an exploit is much lower because most people who can find them can also use the internet anonymously. It's impossible to steal a physical object as safely as one can sell information.

2. What's immoral about selling these exploits? Anyone using Microsoft products or Facebook doesn't care about security anyways. Do you think security researchers should just work for whatever price a monopolist is willing to offer?

Re:in a strange twist of fate

[fuzzyfuzzyfungus]

A certified letter from the IRS would be polite. A DEA SWAT team who assumes that your mystery-money is a sign of drug dealing... Less so. Be sure that your dog isn't home at the time and that there are no flammible family members who might experience adverse effects is somebody threw a flashbang too close to them.

Re:in a strange twist of fate

and perhaps to could spend some of that money getting a spell checker, and buy a ladder so you can get off your high horse

NSA wins the jackpot, goes private

Politicians can't stop them, the NSA has dirt on everyone.

Meh

[CuteSteveJobs]

NSA will pay me twice that much! :)

Re:Meh

[VortexCortex]

No they will not. They will pay the rate going on the black market, for the exploits they purchase.

I agree with the general gist, but if you're marketing to the NSA, you're also marketing to all the other black market exploit buyers. The price can be far higher depending on the exploit. Interestingly, this means the NSA is helping support the exploit vector black market, and this is a threat to national security...

"It's not just us!!"

[markdavis]

"
        Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
        Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
        Be severe: vulnerability has extreme negative consequences for the general public.
        Be novel: vulnerability is new or unusual in an interesting way.
"

So MS is tired of seeing just the TONS of bugs and major issues with their products and wants to bribe the community to please try and show that a least of few of those same bugs affect other, non-MS platforms? Yeesh.

Re:"It's not just us!!"

https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&order=bug_id%20DESC&product=Security%20Response&query_based_on=&query_format=advanced

Re:"It's not just us!!"

[Burz]

Notice there is no mention of IIS or other MS products in the article or the linked page.

Re:"It's not just us!!"

[Burz]

https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&order=bug_id%20DESC&product=Security%20Response&query_based_on=&query_format=advanced

OTOH, MS helps the NSA keep a secret catalog of zero-days to use at their leisure.

Re:"It's not just us!!"

[Skiron]

I expect they was scared that the links would flag all sorts of virus/trojan warnings in a users browser...

NSA Cashes In!

[__aaltlg1547]

I bet they could make $100,000,000 the first day.

Microsoft, Facebook and NSA

sounds more like it...

Remember kids, the only responsible disclosure is full disclosure.

https://en.wikipedia.org/wiki/Full_disclosure

Microsoft and Facebook are the biggest bugs

[oo_00]

Microsoft is the biggest and most harmful bug of all time in computing quality and security.
And Facebook is the biggest privacy bug.

Where do I report them?

WTF

[Skiron]

What do Microsoft and Facebook have to do with the Internet, ffs. They are CUSTOMERS of it, not owners.

Re:WTF

[kekx]

Even if that is the case (which it isn't in my opinion), why would you complain if your customers pay to improve your product? This is obviously good for "the internet" (whatever that is).

Re:WTF

[freeze128]

It's also good for Microsoft's bottom line. They are asking people to find exploits in the TCP/IP stack, which they will *NOT* patch in Windows XP. Then support will end for Windows XP, and with all these exploits floting around, will force people to buy more Microsoft Windows 8.1 goodness.

Re:WTF

joogle, microsoft, facebooger, et.al do not own the internet, therefore its not theirs to "secure".

if you wanna pick up litter on your block, thats cool, but if you pick up litter in the house of commons, you might get your ipad confiscated!

AC= Mike Jack Nemo

NSA, Merkel, metadata has all been in the news recently, but they have managed to keep akamai,amdocs,onavo,facebooger out of the news, unless you dont subscribe to Bloombooger Direct....

when a chain-gang goes picking up litter, everyone seems to be happy, but when the litter is really YOUR private data, and the chain-gang are not wards of state, rather multinational-IT firms siphoning subsidies/moneys/metadat to the israeli wormhole, that aint something to be happy about. Microsoft based their LiveOneAntiVirus centre there years ago (it has since been closed), but facebooger and goooogle certainly base much operation (and expenditure) in the israeli wormhole.

go figgur

Re:WTF

[kekx]

I did not debate that, it's also quite obvious, that it is good for Microsoft - in a variety of ways - , otherwise they wouldn't be paying $$ for it ;)

I pointed out hassles in the IP stack

To BOTH the then VP of Windows Client Performance Division (right here on /. no less where HE CONCEDED I AM CORRECT ON NO LESS -> http://slashdot.org/comments.pl?sid=1467692&cid=30384918 ) & also to Mr. Steven Sinofsky's blog on "Engineering Windows 7" -> http://blogs.msdn.com/b/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx?PageIndex=3

* Did they change it - even though it was conceded to SLOW DOWN a part of Windows in the IP stack?

ANSWER = No...

(No - They, of ALL people since they're "in charge" there or were @ the time, even though they SAID they would? Never got back to me in the 1st case though they said they would!)

Which personally I could give 2 shits about on "getting back to me" (OR even giving me credit for finding the blunder) - no, instead: PLEASE, just FIX it!

NOW, however: What did I hear, that ASTOUNDED ME the most (from the VP, not the then head of Windows in Sinofsky)?

"PASS THE BUCK BULLSHIT" is what:

Pretty much "It's not MY dept. - talk to the guys who designed the IP stack" - WTF?!?

Hey... This IS a performance issue, one YOU conceded, & YES YOU ARE THE HEAD OF THE DIVISION CONCERNING PERFORMANCE!

MS needs NEW & BETTER mgt... period, & all the way around from my experience there!

(Especially, vs. ignorant "we are in the billionaire boys club frat together rats", who "pass the buck" when confronted AND shown to have their pants down during doing so as I did to them...)

APK

P.S.=> Sometimes, MS pisses me off even though I am a HUGE "fanboy" of theirs, I have to admit it...

So "initiatives" like this just make me laugh, they really truly do!

See - I know a LOT of things that need fixing (both in security AND in other areas like efficiency, & that's only SCRATCHING THE SURFACE above - only thing is, they're TURNED ME OFF to even trying anymore, since nobody does a damned thing about it... not even the "top dogs")...

... apk