Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses any vulnerabilities they find.
The minimum bounty for hacking any component of the Internet is $5,000. Here are the requirements for discovered security holes:
- Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
- Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
- Be severe: vulnerability has extreme negative consequences for the general public.
- Be novel: vulnerability is new or unusual in an interesting way.
There are also bounties for other components, including: Sandbox Escapes ($5,000), OpenSSL ($2,500), Python ($1,500), Ruby ($1,500), PHP ($1,500), Django (coming soon), Rails ($1,500), Perl ($1,500), Phabricator ($300), Nginx ($500), and Apache httpd ($500).
The rewards can go higher at the discretion of a review panel, which includes four Microsoft employees, three Facebook employees, one Google employee, one iSEC Partners employee, and one Etsy employee. “These security experts are responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise,” the program’s page explains.
Before you jump in, however, there are a few caveats regarding payment you should probably know:
Because we’re based in the United States, we aren’t able to pay bounties to residents or those who report vulnerabilities from a country against which the United States has trade restrictions or export sanctions (such as Cuba, Iran, North Korea, Sudan, and Syria).
Minors are welcome to participate in the program. However, the Children’s Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
To start, you’ll need to sign up over at hackerone.com by providing your name and email address. Hacking for fun and profit, what could be better?
See also – Google begins offering financial rewards for proactive security patches made to select open-source projects and Microsoft expands $100,000 bug bounty from just security researchers to groups, responders, and forensic experts
Top Image Credit: Tracy Olson