Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft and Facebook Launch Internet Bug Bounty Program

Posted by samzenpus on from the track-them-down dept.

An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."

34 of 57 comments (clear)

  1. If you can't beat them .. by arisvega · · Score: 2

    .. bribe them.

    --
    The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
    1. Re:If you can't beat them .. by fuzzyfuzzyfungus · · Score: 2

      .. bribe them.

      Strictly speaking, unless the bounties get substantially bigger than the minimum, and relatively quickly, it's more along the lines of 'If you can't beat them, see if you can provide additional motivation to people already on your side; but perhaps not bothering to focus on the problems you care about."

    2. Re:If you can't beat them .. by Anonymous Coward · · Score: 1

      If you can't beat them ..
      .. bribe them.

      Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

      Does anyone know where we can go to discuss real tech?

    3. Re:If you can't beat them .. by behrooz0az · · Score: 1

      phoronix, theregister, arstechnica, there is a whole plethora of sites for real tech.I'm getting tired of all M$ and facebook things too.
      If I liked facebook I'd be there already.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    4. Re:If you can't beat them .. by jones_supa · · Score: 1

      Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

      Does anyone know where we can go to discuss real tech?

      I am but glad that Microsoft stuff is occasionally featured on the Slashdot front page too. It is as important company as Apple, Samsung, Red Hat, Intel or whatever. I want to hear about MS too: both their successes and embarrassing mistakes.

      However in addition to Slashdot I also read a site called InfoQ, they have pretty good stuff too.

  2. Mistake by Rosco+P.+Coltrane · · Score: 3, Insightful

    The minimum fine for hacking any component of the Internet is $5,000

    There, fixed that for you.

    Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Mistake by Joining+Yet+Again · · Score: 2

      AC [from basement]: Mooooooom they're not using English words they way I want them to be used.

      Mom: Why don't you call the Académie anglaise?

      AC: Moooom ur SOOOOOO dumb there isn't an Académie anglaise you see English is a descriptive language GOD THIS IS TYPICAL PUBLIC SCHOOL AMERICAN EDUCATION...

      Mom: Erm, you went to a publi.. never mind, your sarcasm/nuance detector is clearly broken. OK, so given that words evolve, what do you think we can do about it?

      AC: Moooooooooooom call my lawyer it's slander!!!!!

      Mom: You're a 25 year old manchild, you don't have a lawyer.

      AC: Mooooooooooom call the police!!!

      Mom: Why can't you?

      AC: Moooooooooom I don't like using the 'phone, people are mean to me, they say I'm a criminal cos I'm a hacker. It's not my fault I'm more intelligent than them :'(.

      Mom: There there, son.

      AC: Bitty.

      Mom: Not now, son, we're doing a piece for Slashdot.

      AC: But, mom, bitty.

      Mom: Oh, all right, sweety, come here.

      * Mom takes out breast and AC begins suckling.

    2. Re:Mistake by VortexCortex · · Score: 1

      The minimum fine for hacking any component of the Internet is $5,000

      There, fixed that for you.

      Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

      No, using the word hacking and automatically associating it with illegal activity is the true crime here.

      And I want to start threatening it at a criminal level (in the same way someone would decree libel or slander) in order to get that fucking point across.

      The only difference between "hacking" and "research and development" is legality and/or sponsorship (Government would be in the "or" category, for they don't give a fuck about laws. Ref. NSA).

      I agree with you. However, it's too fucking late.

      They control the discourse, and the media is not your friend. You should have considered them the enemy long ago. Now it's too late. The system is full of maliciousness. I'm afraid you'll have to wipe the platters, reboot and rebuild from a known good state.

    3. Re:Mistake by wonkey_monkey · · Score: 1

      No, using the word hacking and automatically associating it with illegal activity is the true crime here.

      The only difference between "hacking" and "research and development" is legality

      Make your mind up.

      --
      systemd is Roko's Basilisk.
  3. The Internet? by Anonymous Coward · · Score: 1

    Hacking the Internet? Must be a new form of hacking the Gibson.

    1. Re:The Internet? by magic+maverick+ · · Score: 1

      You just need to hit stop early enough. It is quite strange though. The text:

      The Internet

      Hack all the things.

              Bounties provided by IBB

      Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Bounty Panel will award public research into vulnerabilities with the potential for severe security implications to the public.

      Simply put: hack all the things, send us the good stuff, and we'll do our best to reward you.
      The Fine Print

      To qualify, vulnerabilities should meet most of the following criteria:

              Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
              Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
              Be severe: vulnerability has extreme negative consequences for the general public.
              Be novel: vulnerability is new or unusual in an interesting way.

      The Panel will gladly assist with the coordinated disclosure of any potential vulnerabilities. However, we recognize that we may not be the most effective avenue in all circumstances. We will gladly consider rewards for vulnerabilities that have been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.

      It's important to keep in mind that not all submissions will qualify for a bounty. The decision to award a bounty is entirely at the discretion of the Internet Bug Bounty Panel.
      Examples

      We provide the following examples of publicly disclosed vulnerabilities that we would have rewarded:

              SSL blockwise chosen-boundary attack, aka BEAST
              DNS Insufficient Socket Entropy Vulnerability
              Debian predictable PRNG
              Sotirov, et al. MD5 Collision attack against PKI

      Bounty Guidance

              Minimum reward of $5,000 with significantly higher rewards granted at the Panel's discretion

      --
      HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  4. Simple very effective solution by jkrise · · Score: 1

    Redirect facebook.com and microsoft.com and all their servers and namesakes to 0.0.0.0 or to 127.0.0.1 in the root DNS servers. Problem solved.

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Simple very effective solution by Thanshin · · Score: 2

      Unless the Root DNS server has acquired conscience and is posting as AC on Slashdot.

  5. in a strange twist of fate by nimbius · · Score: 5, Insightful

    today two companies I despise, microsoft and facebook, came together to offer me not a job with dental and health benefits, but what most would conclude is a pittance for securing something as arbitrary and vast as "the internet."

    the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security. Until such time as megacorps get their milton freeman head out of their ayn rand arse, im inclined to sell to the highest bidder because $5000 bounties dont pay my mortgage.

    --
    Good people go to bed earlier.
    1. Re:in a strange twist of fate by fuzzyfuzzyfungus · · Score: 1

      Hmm... You have a point there.

      Incidentally, I bet it would be cheaper to buy a law declaring people who sell exploits on the black market to be criminally responsible, as 'conspirators', for any and all subsequent use of them, thus encouraging people to remain in our sharecropper bounty system, than it would be to actually pay the workers more...

    2. Re:in a strange twist of fate by auric_dude · · Score: 1

      Just wondering why Microsoft and Facebook let code out of the door that has these defects, is it an altruistic gesture to foster and finance an informal quality control and code testing stratum of society?

    3. Re:in a strange twist of fate by mlw4428 · · Score: 1

      The difference is that with the black market one could fine oneself without need of a mortgage as one will have their housing provided by a state or federal penitentiary.

    4. Re:in a strange twist of fate by mlw4428 · · Score: 1

      Oops -- should say "find", not fine.

    5. Re:in a strange twist of fate by h4rr4r · · Score: 1

      You have to pay taxes on all income, including the illegal kind. So there is no problem with paying your mortgage that way.

    6. Re: in a strange twist of fate by UnknownSoldier · · Score: 2

      I dispise MS and Facebook as much as the next guy but show me bug-free code and I have a bridge I'd like to sell you. However your point about the absymal lack of Quality Assurance is with merit considering the resources these have to do a better job of testing.

    7. Re:in a strange twist of fate by Mr_Silver · · Score: 1

      the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security.

      So what? It's well known that crime always pays significantly better than being honest - unless, of course, you get caught.

      A smash and grab robber in a Rolex store is going to make more $ per hour than your server in McDonalds or even a white collar worker.

      However for the vast majority of people, this is a complete non-issue because their moral compass is firmly intact.

      --
      Avantslash - View Slashdot cleanly on your mobile phone.
    8. Re:in a strange twist of fate by fuzzyfuzzyfungus · · Score: 1

      A certified letter from the IRS would be polite. A DEA SWAT team who assumes that your mystery-money is a sign of drug dealing... Less so. Be sure that your dog isn't home at the time and that there are no flammible family members who might experience adverse effects is somebody threw a flashbang too close to them.

  6. Meh by CuteSteveJobs · · Score: 2

    NSA will pay me twice that much! :)

    1. Re:Meh by VortexCortex · · Score: 2

      No they will not. They will pay the rate going on the black market, for the exploits they purchase.

      I agree with the general gist, but if you're marketing to the NSA, you're also marketing to all the other black market exploit buyers. The price can be far higher depending on the exploit. Interestingly, this means the NSA is helping support the exploit vector black market, and this is a threat to national security...

  7. "It's not just us!!" by markdavis · · Score: 1, Insightful

    "
            Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
            Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
            Be severe: vulnerability has extreme negative consequences for the general public.
            Be novel: vulnerability is new or unusual in an interesting way.
    "

    So MS is tired of seeing just the TONS of bugs and major issues with their products and wants to bribe the community to please try and show that a least of few of those same bugs affect other, non-MS platforms? Yeesh.

    1. Re:"It's not just us!!" by Burz · · Score: 1

      Notice there is no mention of IIS or other MS products in the article or the linked page.

    2. Re:"It's not just us!!" by Burz · · Score: 1

      https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&order=bug_id%20DESC&product=Security%20Response&query_based_on=&query_format=advanced

      OTOH, MS helps the NSA keep a secret catalog of zero-days to use at their leisure.

    3. Re:"It's not just us!!" by Skiron · · Score: 1

      I expect they was scared that the links would flag all sorts of virus/trojan warnings in a users browser...

  8. NSA Cashes In! by __aaltlg1547 · · Score: 1

    I bet they could make $100,000,000 the first day.

  9. Microsoft and Facebook are the biggest bugs by oo_00 · · Score: 1

    Microsoft is the biggest and most harmful bug of all time in computing quality and security.
    And Facebook is the biggest privacy bug.

    Where do I report them?

  10. WTF by Skiron · · Score: 1

    What do Microsoft and Facebook have to do with the Internet, ffs. They are CUSTOMERS of it, not owners.

    1. Re:WTF by kekx · · Score: 1

      Even if that is the case (which it isn't in my opinion), why would you complain if your customers pay to improve your product? This is obviously good for "the internet" (whatever that is).

    2. Re:WTF by freeze128 · · Score: 1

      It's also good for Microsoft's bottom line. They are asking people to find exploits in the TCP/IP stack, which they will *NOT* patch in Windows XP. Then support will end for Windows XP, and with all these exploits floting around, will force people to buy more Microsoft Windows 8.1 goodness.

    3. Re:WTF by kekx · · Score: 1

      I did not debate that, it's also quite obvious, that it is good for Microsoft - in a variety of ways - , otherwise they wouldn't be paying $$ for it ;)