08/31/2011, Author: Eddy Willems

Bug bounty initiatives: a summer approach against cyberthreats?

The summer season has always been a mixture of holidays and launching new initiatives against cyberthreats if you look back at the past months.

One of the new initiatives is brought to us by Microsoft with what they call the Blue Hat Prize. It is a contest that wants to generate new defensive approaches in the field of computer security. By launching this initiative, MS wants to develop new solutions to resolve security threats. And there are interesting prizes for the participants, ranging from $10,000 to $200,000.
It is known that MS also has some internal research conferences, but this new program will focus on new technology and defense against memory safety vulnerabilities especially. Microsoft clearly wants to encourage researchers to think about new ways of defeating entire classes of bugs instead of MS paying for individual bugs only, like some other companies are doing.

One of those other companies is Facebook, which recently launched a security bug bounty program.

And this security bug bounty program seems to be effective. According to a blog entry by Joe Sullivan, Facebook’s CSIO, “the program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 for six different issues flagged.” It clearly is building up some results in the short term already.

Apple also took some initiatives this summer. They have hired Nicholas Allegra alias "comex", the hacker behind JailbreakMe, a software application, that makes removing the restrictions on iPhone, iPod Touch and iPad devices simple. Allegra’s website contains code that lets you "jailbreak" your iDevice in a couple of minutes. This enables users to install unapproved apps from unauthorized stores like Cydia. The jailbreak hacks have been implemented by millions of people. It is really understandable that Apple hired this guy.
Allegra could be able to notify his new company about bugs or security holes in its software to allow Apple to patch them even before releasing the products to the general public. Apparently Allegra isn’t the first hacker Apple has hired, because another Jailbreak app creator, Peter Hajas, is working for the company as well.

And the ones mentioned above are not the only initiatives. Even more were brought up to the scene during the first half of this year. As we always have been a bit suspicious and careful about this kind of initiatives, we are, however, sure that they definitely are a way to improve security on the internet and in the tools we are using these days. People always need to work together to create a safer (cyber) world.
It’s a pity that money seems to be involved with it always. Well maybe not always. These current reports reminded some people in our company about the “black socks” – yes, clothes – one was rewarded with about 14 years ago (!) when one found a bug in the Dr Solomon’s Toolkit, an old and famous anti-virus suite. Definitely an old and lucrative initiative in the anti-virus world from the Dr Solomon’s Group (acquired by McAfee in 1998, then Network Associates).

One question remains: Will those initiatives work in the long term?

Share this article

G DATA | Trust in German Sicherheit