Sign In

Communications of the ACM

ACM TechNews

Newest Bug Bounty Touts $10K Rewards, Appeals for Help in Finding Flash Flaws

View as: Print Mobile App Share:
Finding a bug in the code.

The Internet Bug Bounty program recently paid two security researchers $10,000 each for vulnerabilities they found in Flash.


The Internet Bug Bounty (IBB) program, which launched in November 2013 with a first round of funding from Facebook and Microsoft, recently paid $10,000 each to a pair of security researchers for vulnerabilities they found in Flash, the highest-value rewards from the group since its launch.

"This shows that the IBB is serious about rewarding research which makes us all safer," says Google Chrome security engineer Chris Evans.

IBB currently has a 180-day patch-or-publish guideline, meaning that if a vendor is unable or unwilling to fix a reported flaw, details may be made public. "Not everyone has woken up to this, but when a whitehat researcher discloses an issue, there's a reasonable chance that nefarious actors already know about the vulnerability," Evans says. "Therefore, taking a long time to patch puts everyone at risk."

Evans recently called on researchers to help find flaws in Adobe's Flash Player, and he aimed his appeal at researchers who uncover vulnerabilities to sell to government and law enforcement intelligence agencies.

Evan says the group is looking for more sponsors. "The more sponsors we have on board, the more money we can inject into the whitehat community in order to make us all safer," he says.

From Computerworld
View Full Article


Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


No entries found