Microsoft, Google and Facebook have teamed up to offer bigger bounties for bug hunters under the HackerOne bug bounty project.
The project is intended to reward hackers who find “issues” with internet tools such as PHP, OpenSSL, Perl, Ruby, Python and the Apache web server, as well as the internet’s underlying communications protocols.
“We’ve selected some of the most important software that supports the internet stack, and we want you to hack it.
If the public is demonstrably safer as a result of your contribution to internet security, we’d like to be the first to recognise your work and say ‘thanks’ by sending some cash to you or your favourite non-profit,” the programme explains on its website.
HackerOne will offer rewards of between $300 and $5,000, depending on the vulnerability and severity of the bugs or security flaws hackers’ uncover, but a panel of experts may increase the size of the reward.
The panel will include security specialists from Facebook, Google and Microsoft, as well as security consulting companies.
“It is meant for those very, very severe bugs that would have dire consequence for the internet if they were to get into the wrong hands,” Facebook product security lead, Alex Rice, who is also one of the bug-bounty judges, told Reuters.
The HackerOne rewards come in addition to the bug bounty programmes offered separately by the companies. Microsoft recently raised the ceiling on its payments programme to $100,000 to encourage more hackers to come forward with bugs – rather than seek to exploit them.
“Even if we are fierce competitors…
The security teams don’t have to be competitors,” added Rice. “Our competition is the bad guys.”
Full details of the programme can be found on the HackerOne website, www.hackerone.com/ibb