The Internet Bug Bounty
November 6, 2013 6:45 PM Subscribe
Rewarding friendly hackers who contribute to a more secure internet. "We've selected some of the most important software that supports the internet stack, and we want you to hack it. If the public is demonstrably safer as a result of your contribution to internet security, we'd like to be the first to recognize your work and say "thanks" by sending some cash to you or your favorite non-profit." This is a full disclosure bug bounty program, and all vulnerability reports will eventually be made public. Also featuring an Allie Brosh logo for The Internet.
Yeah this is well meaning by Facebook and Microsoft, but the grey market for important security holes is way more complex these days. Depending on your patriotism, you may not even need to compromise your ethics. Uncle Sam wants you to overflow buffers!
posted by Nelson at 7:07 PM on November 6, 2013
posted by Nelson at 7:07 PM on November 6, 2013
Ironic- The site refuses to load: "It looks like your JavaScript is disabled. For a better experience on HackerOne, enable JavaScript in your browser."
posted by anemone of the state at 7:12 PM on November 6, 2013
posted by anemone of the state at 7:12 PM on November 6, 2013
NYT reported over the summer that the market for 0-days is booming and that governments are some of the top purchasers.
"The average flaw now sells from around $35,000 to $160,000."
posted by jquinby at 7:13 PM on November 6, 2013 [3 favorites]
"The average flaw now sells from around $35,000 to $160,000."
posted by jquinby at 7:13 PM on November 6, 2013 [3 favorites]
So I guess free bug fixes are kind of over, huh?
posted by RobotVoodooPower at 7:17 PM on November 6, 2013
posted by RobotVoodooPower at 7:17 PM on November 6, 2013
I wonder why there aren't any bounties sponsored for popular proprietary technologies like Java, C#, or IIS.
posted by ardgedee at 7:35 PM on November 6, 2013 [1 favorite]
posted by ardgedee at 7:35 PM on November 6, 2013 [1 favorite]
Also featuring an Allie Brosh logo for The Internet.
Yeah. Completely MISSING THE POINT of the manic part of a manic-depressive cycle really gets me on board.
posted by Slap*Happy at 7:40 PM on November 6, 2013
Yeah. Completely MISSING THE POINT of the manic part of a manic-depressive cycle really gets me on board.
posted by Slap*Happy at 7:40 PM on November 6, 2013
Yeah. Completely MISSING THE POINT of the manic part of a manic-depressive cycle really gets me on board.
I think it's lame too, but...
I think it's lame too, but...
Question: Does the "all the things" meme bug you or are you okay that it gets used for .. uh .. all the things?posted by mykescipark at 7:46 PM on November 6, 2013 [3 favorites]
The meme doesn't bug me. I'm happy that people are having fun with it.
Ironic- The site refuses to load: "It looks like your JavaScript is disabled. ...
What's even weirder is that the front page actually displayed, apparently quite adequately, for a split second before it did the passive-aggressive switch over to the "no js" page. It looked FINE, hackerone, why you gotta be like that?
posted by Greg_Ace at 11:18 PM on November 6, 2013 [1 favorite]
What's even weirder is that the front page actually displayed, apparently quite adequately, for a split second before it did the passive-aggressive switch over to the "no js" page. It looked FINE, hackerone, why you gotta be like that?
posted by Greg_Ace at 11:18 PM on November 6, 2013 [1 favorite]
$1500!?! Microsoft and Facebook aren't exactly charities, their entire business models are based around the existence of a working internet, and that's all they're willing to pony up? Shit, that's probably cheaper than any one of them just hiring someone on salary.
posted by indubitable at 3:45 AM on November 7, 2013
posted by indubitable at 3:45 AM on November 7, 2013
From the article Nelson posted above:
When "asked if they would be troubled if some of their programs were used in attacks that caused death or destruction, they said: 'We don't sell weapons, we sell information. This question would be worth asking to vendors leaving security holes in their products'."
Well...I suppose. On the other hand, this smells quite a bit like hey man, I didn't rob your place. I just sold your address to some guy after I noticed the kitchen window was open. Guess you shoulda closed it. Am I right or am I right?
posted by jquinby at 5:18 AM on November 7, 2013 [1 favorite]
When "asked if they would be troubled if some of their programs were used in attacks that caused death or destruction, they said: 'We don't sell weapons, we sell information. This question would be worth asking to vendors leaving security holes in their products'."
Well...I suppose. On the other hand, this smells quite a bit like hey man, I didn't rob your place. I just sold your address to some guy after I noticed the kitchen window was open. Guess you shoulda closed it. Am I right or am I right?
posted by jquinby at 5:18 AM on November 7, 2013 [1 favorite]
Yeah, the omission of the entire .NET ecosystem is pretty sketchy with Microsoft as a sponsor, whether or not anyone was actually exercising bias. I don't understand the lack of Java, unless they think it has so many bugs that they'd go bankrupt.
But yeah, these numbers are pretty insulting. There are probably tons of light-grey-market venues you could turn to, that would offer enough money to make a real donation to your nonprofit of choice while still being reasonably ethical about it.
Maybe if this project offered free VMs and advanced diagnostic tools to its participants, or didn't handwave about the legal liabilities of security disclosure (rather than "the more closely [your] behavior matches these guidelines, the more we'll be able to protect you").
posted by Riki tiki at 5:31 AM on November 7, 2013
But yeah, these numbers are pretty insulting. There are probably tons of light-grey-market venues you could turn to, that would offer enough money to make a real donation to your nonprofit of choice while still being reasonably ethical about it.
Maybe if this project offered free VMs and advanced diagnostic tools to its participants, or didn't handwave about the legal liabilities of security disclosure (rather than "the more closely [your] behavior matches these guidelines, the more we'll be able to protect you").
posted by Riki tiki at 5:31 AM on November 7, 2013
"The webpage at https://hackerone.com/ibb has resulted in too many redirects. "
I'm clearly in the wrong thread.
posted by mrhappy at 8:26 AM on November 7, 2013
I'm clearly in the wrong thread.
posted by mrhappy at 8:26 AM on November 7, 2013
Well, clearly enabling scripting on a site called "hackerone" is a GREAT idea, so I will just go ahead and do that so I can see the content! I'm sure I can trust them.
posted by caution live frogs at 8:37 AM on November 7, 2013 [1 favorite]
posted by caution live frogs at 8:37 AM on November 7, 2013 [1 favorite]
Hackerone, to rhyme with macaroni!
(I would go bug hunting but it's more rewarding to make comments as fatuous as the bounties on offer).
posted by comealongpole at 2:30 PM on November 7, 2013
(I would go bug hunting but it's more rewarding to make comments as fatuous as the bounties on offer).
posted by comealongpole at 2:30 PM on November 7, 2013
« Older Zip it. | "They love Steam, but they also... like their... Newer »
This thread has been archived and is closed to new comments
posted by empath at 7:03 PM on November 6, 2013