New Internet Bug Bounty holds companies accountable, protects hackers

Security high-hats from Microsoft, Facebook and others have launched HackerOne: an open call for hackers to submit Internet bugs for cash. Hackers can remain anonymous, while all vulns are made public.
Written by Violet Blue, Contributor

Hackers looking to make quick cash just got a new way to grease their bank accounts with the launch of HackerOne's Internet Bug Bounty.

Security high-hats from primary sponsors Microsoft and Facebook, along with volunteers from Etsy, Chrome and ISEC Partners calling themselves HackerOne today announced a bounty program trading cash for bugs in Open SSL, Python, Ruby, PHP, Rails, Perl and "the Internet," among others.

Hackers Internet Bug Bounty

According to HackerOne's Disclosure, the companies behind the program are not allowed special access or rights to the submitted bugs.

Hackers can submit as anonymously as they prefer. Response Teams from affected companies and products are cautioned against taking punitive action against the hackers.

And if you're on a response team for a product that might be affected by a bug on the bounty list, you'd be wise to register with HackerOne if you want to be notified about exploits and vulnerabilities immediately.

Legit bugs affecting products will be reported to Response Teams right away through the HackerOne platform, otherwise the Internet Bug Bounty panel promises to do everything possible to reach and inform affected companies with the disclosure.

And if a company doesn't pick up the phone when HackerOne calls?

Companies have seven days to respond, then:

If we aren't able to contact the Response Team, the Bug Report will be made public 30 days after our initial contact attempt.

Regardless, all bug data is eventually shared with the public.

The Internet Bug Bounty says its aim is "Rewarding friendly hackers who contribute to a more secure internet." 

Before you go off thinking the program is just for white knights, the organizers have made it clear they're also looking for bug hunters who want to remain off the books: submitters can remain anonymous, even to the point of deferring payment to a charity of their choice.

To register, hackers only need provide a name, username, password, and email address; HackerOne states it deletes all access logs after 180 days.

But if you're looking for credit, HackerOne says you'll definitely get it.

HackerOne told ZDNet that hackers choosing to give their reward to charity can pick any charity they like, plus HackerOne might even throw in a little extra scratch to give the hacker's favorite charity a bit more to celebrate.

Its Disclosure Policy has some ethical guidelines for hackers to follow if they're going to play ball with HackerOne, but HackerOne has sided its policy to be clear about its stance to protect hackers who bring in bugs.

The guidelines for Response Teams that HackerOne will work with states that teams from affected products and companies have to credit the hacker for discovery, and can't threaten hackers, punish them for finding vulns, and can't turn them over to the cops.

HackerOne's Disclosure Guidelines state, "Response Teams should..."

Do no harm. Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

Perhaps that's because some of the people on HackerOne's interesting team have seen some action.

We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo.

Members of our team have managed bounty programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions.

Young hackers can join the hunt, too. There is no minimum age for submissions and payout, though in keeping with the Children's Online Privacy Protection Act hackers under 13 will need to have a parent or guardian claim the bounty.

Sandbox escapes and "the Internet" start at $5K, with Open SSL at $2500, followed by Python, Ruby, PHP, Rails and Perl coming in at $1500 per bug. Apache httpd and Nginx fetch $500 a pop, Phabricator is $300, while Django is listed at this time with no minimum bounty.

Hackers can also submit bugs via private YouTube videos, but HackerOne requires all video submissions to have bad techno playing in the background.

Editorial standards