Microsoft and Facebook to back HackerOne internet bug bounties

HackerOne, a volunteer security organisation, has picked up the backing of software powerhouses Microsoft and Facebook to conduct a program of bug bounties. Or, as the program's internet page says, "Simply put: Hack all the things, send us the good stuff, and we'll do our best to reward you."

The program rewards users for finding security issues in a selection of software that powers the internet; if the hacker submits a patch for the issue, the reward can be increased. The full list of technologies qualifying for bounties is: PHP, Perl, OpenSSL, Rails, nginx, Apache httpd, Python, Ruby, django, and phabricator.

Two special categories exist that are not tied to one specific technology. The first is being able to break out of sandbox enclosures found in Chrome, Internet Explorer 10 EPM, Adobe Reader, and Adobe Flash. The second general category is simply entitled "The internet". To qualify for a bounty, the vulnerability should be widespread, novel, vendor agnostic, and severe.

Monetary rewards for the general categories start at $5,000, with the technology-focused bounties ranging from minimum payments of $2,500 for OpenSSL and as low as $300 for Phabricator.

HackerOne says in its FAQ that neither itself nor members of any vulnerability judging panel receive any portion of Microsoft and Facebook's funding, and that funding does not give sponsors any special access or rights to bug data.

Google has been running its own bounty program for security vulnerabilities for a number of years now, and recently announced that it had paid out over $2 million to hackers over the lifetime of its Chromium and Google Web Vulnerability Reward Programs.