Bug bounty program

from Wikipedia, the free encyclopedia

A bug bounty program ( English bug bounty program , you receive the "bounty program for Error ") is a run by companies, interest groups, private individuals or government initiative to identify, resolve and notice of defects in software by public reward of property or cash prizes for the explorers.

Examples of bug bounty programs

At home and abroad there is a high, but indefinite number of companies that operate this type of program.

DJI

The drone manufacturer DJI tried to permanently silence security researcher Kevin Finisterre after reporting a data protection breach and paying the premium, with reference to the Computer Fraud and Abuse Act (CFAA). Only after violent protests were the terms and conditions changed and one of only three companies to issue a CFAA approval.

Microsoft

Microsoft organizes bug bounty programs adapted for Internet services (Online Services Bug Bounty) separately from those for computer operating systems (Mitigation Bypass Bounty). Vulnerabilities in the online services Microsoft Office 365 and Microsoft Azure are rewarded with bonuses of 500 to 15,000 US dollars as part of the online services bug bounty . Vulnerabilities that demonstrate a new way of penetrating a Microsoft operating system are endowed with up to 100,000 US dollars as part of the Mitigation Bypass Bounty and Bounty for Defense Terms . The Hyper-V Bounty program, which Microsoft launched on May 31, 2017, promises up to $ 250,000 for successful attack scenarios.

As of mid-July 2018, security researchers have been rewarded between $ 500 and $ 100,000 for finding loopholes in the sign-in services of Azure and Microsoft accounts.

Zerodium

In September 2015, Zerodium , a company specializing in zero-day exploits , launched a US $ 1 million competition to find a browser- based jailbreak for the Apple iOS operating system . On November 2nd, it was announced that a winner had been found.

EU-FOSSA

The Free and Open Source Software Audit (FOSSA) project to strengthen the security of free and open source software, which was founded by the EU in 2014 with pilot funding of one million euros, after the OpenSSL security vulnerability that became known as Heartbleed , has been under the Name of EU-FOSSA-2 project expanded continued. Independent researchers and developers on the two bug bounty platforms HackerOne and Intigriti from Deloitte are called upon to identify security gaps in 15 open source solutions that have been advertised. The applications examined include: Apache Kafka , Apache Tomcat , Notepad ++ , 7-Zip , Filezilla , Keepass , Drupal , PuTTY , Glibc and VLC Media Player.

Hack the Pentagon

The bug bounty program Hack the Pentagon the US Department of Defense , calls for ambitious hackers on the platform to HackerOne on the Pentagon to attack.

Individual evidence

  1. Amit Elazari, Daniel AJ Sokolov: US bug bounties let "good" hackers fall into the trap. January 22, 2018, accessed January 22, 2018 .
  2. ^ Microsoft: Online Services Bug Bounty Terms. Retrieved October 27, 2015 .
  3. ^ Microsoft: Mitigation Bypass and Bounty for Defense Terms. Retrieved October 27, 2015 .
  4. ^ Microsoft Hyper-V Bounty Program Terms . technet.microsoft.com. Retrieved July 27, 2017.
  5. Bug Bounty: Cracking Azure and Microsoft accounts is worth up to 100,000 US dollars . heise.de. July 19, 2018. Retrieved July 19, 2018.
  6. Zerodium: Zerodium iOS 9 Bounty. In: Zerodium. September 21, 2015, accessed November 3, 2015 .
  7. Dennis Schirrmacher: Hackers should get one million US dollars for iOS 9.1 jailbreak. In: Heise Online . November 3, 2015, accessed November 3, 2015 .
  8. Bug Bounties in Full Force ; https://www.com-magazin.de/news/open-source/eu-erweitert-bug-bounty-programm-fossa-1664851.html