New Internet Bug Bounty holds companies accountable, protects hackers
Security high-hats from Microsoft, Facebook and others have launched HackerOne: an open call for hackers to submit Internet bugs for cash. Hackers can remain anonymous, while all vulns are made public.
Hackers looking to make quick cash just got a new way to grease their bank accounts with the launch of HackerOne's Internet Bug Bounty.
Security high-hats from primary sponsors Microsoft and Facebook, along with volunteers from Etsy, Chrome and ISEC Partners calling themselves HackerOne today announced a bounty program trading cash for bugs in Open SSL, Python, Ruby, PHP, Rails, Perl and "the Internet," among others.
Hackers can submit as anonymously as they prefer. Response Teams from affected companies and products are cautioned against taking punitive action against the hackers.
And if you're on a response team for a product that might be affected by a bug on the bounty list, you'd be wise to register with HackerOne if you want to be notified about exploits and vulnerabilities immediately.
Legit bugs affecting products will be reported to Response Teams right away through the HackerOne platform, otherwise the Internet Bug Bounty panel promises to do everything possible to reach and inform affected companies with the disclosure.
And if a company doesn't pick up the phone when HackerOne calls?
Before you go off thinking the program is just for white knights, the organizers have made it clear they're also looking for bug hunters who want to remain off the books: submitters can remain anonymous, even to the point of deferring payment to a charity of their choice.
To register, hackers only need provide a name, username, password, and email address; HackerOne states it deletes all access logs after 180 days.
But if you're looking for credit, HackerOne says you'll definitely get it.
HackerOne told ZDNet that hackers choosing to give their reward to charity can pick any charity they like, plus HackerOne might even throw in a little extra scratch to give the hacker's favorite charity a bit more to celebrate.
Its Disclosure Policy has some ethical guidelines for hackers to follow if they're going to play ball with HackerOne, but HackerOne has sided its policy to be clear about its stance to protect hackers who bring in bugs.
The guidelines for Response Teams that HackerOne will work with states that teams from affected products and companies have to credit the hacker for discovery, and can't threaten hackers, punish them for finding vulns, and can't turn them over to the cops.
Do no harm. Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.
Perhaps that's because some of the people on HackerOne's interesting team have seen some action.
We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo.
Members of our team have managed bounty programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions.
Young hackers can join the hunt, too. There is no minimum age for submissions and payout, though in keeping with the Children's Online Privacy Protection Act hackers under 13 will need to have a parent or guardian claim the bounty.