updated 10:12 am EST, Thu November 7, 2013
Bug bounty offers up to $5,000 for vulnerabilities in server software
Microsoft is teaming up with Facebook to offer more bounties for bugs and flaws in software used to by a vast majority of websites. The Internet bug bounty, HackerOne, sees the two companies paying cash prizes of between $300 and $5,000 in exchange for details for vulnerabilities in server-based software and frameworks such as PHP, Ruby, Rails, OpenSSL, and Apache httpd.
Vulnerabilities submitted to the project will be judged by a panel from Facebook, Microsoft, Google, and others to not only verify the bug, but also the severity and the value of bounty to be provided to the submitter, with the panel also able to go higher than the stated maximum at its discretion.
The project is "meant for those very, very severe bugs that would have dire consequence for the Internet if they were to get into the wrong hands," advised Facebook product security lead Alex Rice to Reuters. While the three companies "are fierce competitors," Rice claims that the security teams don't have to follow the company's general lead and will help each other in cases such as these. "Our competition is the bad guys."
Both Facebook and Microsoft offer their own bug reporting schemes. Microsoft has already paid out its maximum award of $100,000 for a critical flaw in Internet Explorer, one which it has already patched. Facebook offers just $500 for successful bugs, but earlier this year it was discovered that the company refused to pay out to a Palestinian submission after first dismissing it as a bug, and then claiming a violation of the site's Terms of Service.