pixel_dreams - Fotolia
Adopting a bug bounty program has become popular among major software vendors lately, but the ways the programs are implemented -- as well as the rewards that will be handed out to bug hunters -- vary greatly across the bug bounty realm.
Four big-name organizations' bug bounty programs made the news this week -- specifically because of each program's reward loot, or lack thereof.
Adobe adds bounty, forgets the reward
In a blog post published Wednesday, Adobe Systems Inc. announced a new bug bounty program -- which is noticeably missing the bounty.
In its announcement, security program manager of the Adobe Product Security Incident Response Team Pieter Ockers wrote that the company's "Web application vulnerability disclosure program" welcomed the disclosure of security vulnerabilities affecting its products and services. Bug hunters who find a vulnerability will be able to privately disclose the issue to Adobe via the HackerOne platform.
In return for a valid Adobe vulnerability submission, bug hunters will be rewarded with points that increase their HackerOne reputation score, which HackerOne introduced in October 2014 to measure the quality of bug hunters' disclosures.
Not only is Adobe late to the game -- other companies have had bug bounty programs in place for several years -- but it also remains to be seen whether a bug bounty program without a cash reward will achieve the same success as the successful cash bounty programs implemented by Google Inc., Facebook Inc. and Microsoft.
Adobe has already thanked three researchers for disclosing a total of six bugs, all of which have been resolved.
The biggest cybercrime bounty to date
On the other end of the bounty spectrum, the FBI announced Tuesday it is offering a $3 million reward for information leading to the arrest or conviction of an alleged Russian hacker associated with the Zeus malware campaign.
Evgeniy Mikhailovich Bogachev, who is on the FBI Cyber's Most Wanted list, is reportedly connected to the GameOver Zeus variant, which is believed to have infected more than 1 million computers and caused financial losses of more than $100 million.
Bogachev was indicted Aug. 22, 2012, under the name of "lucky12345" by a federal grand jury in Nebraska for bank fraud, among other charges. He was indicted by his real name May 19, 2014, by a federal grand jury in Pennsylvania for computer fraud and money laundering.
While the FBI often offers rewards for information leading to the capture and conviction of a suspect, the bounty for Bogachev marks the highest amount authorities have ever offered in a cybercrime case.
Bogachev is believed to be in Russia, though the FBI notes that he enjoys boating and may travel.
Facebook paid $1.3 million for bugs in 2014
While the total comes in less than the company's 2013 payout of $1.5 million, Facebook Security Engineer Collin Greene wrote that the number of submissions increased year over year by 16%, and that the quality of the bugs reported has also increased; 61 of the bugs reported in 2013 were categorized as "high severity," 49% more than those in 2013.
Greene also said researchers in 65 countries received rewards in 2014, a 12% increase over 2013.
Facebook's bug bounty program offers bounties to bug hunters for finding issues -- including cross-site scripting, cross-site request forgery and privilege escalation, among others -- in Facebook itself or the company's qualifying products, including Instagram. The program's minimum reward is $500; there is no maximum reward. In 2013, the average reward paid was $1,788.
Pwnium-ing all year 'round
Google announced Tuesday its once annual Pwnium competition would now be a "year-round, worldwide opportunity."
Chrome Security Team member Tom Willis wrote in a blog post that the changes were meant to achieve three objectives: remove entry barriers, eliminate the chances of "bug hoarding," and satisfy past participants, who said they preferred a year-round option.
With the new program, entries can be submitted through the Chrome Vulnerability Reward Program website. Bug hunters now also needn't "hoard" bugs, which Willis said will not only reduce the chances of multiple researchers reporting the same flaw, but also help Google fix vulnerabilities quickly and reduce the time frame for which users are at risk.
Google rewards its hunters that disclose qualifying bugs with bounties ranging from $500 to $50,000.
Pwnium's year-round competition is effective immediately. According to Google, the reward pot "goes all the way up to $∞ million" with an added clause that states "this is an experimental and discretionary rewards program; Google may cancel or modify the program at any time."
In other news
- Open Whisper Systems announced Monday the release of the Signal 2.0, the second iteration of its iOS encryption app, the first free cross-platform encryption communication app between Android and iOS devices. Signal 2.0 has been updated to include support for Open Whisper's Android encryption apps, RedPhone and TextSecure. Users can now send end-to-end encrypted text, group text, picture and video messages across OSes without SMS or MMS fees. The self-proclaimed "easy-to-use" app makes use of the device's existing phone numbers and address book -- no separate logins, usernames, passwords or PINs are required. Only those conversing can read or listen to the messages; third parties cannot intercept them, and Open Whisper cannot decode them. Open Whisper Systems has made Signal 2.0's free, open source code available on GitHub to "allow experts to verify our protocols and our cryptography."
- Application security vendor Arxan Technologies Inc. shed further light into the hacking of mobile applications this week with the release of its third-annual State of Mobile App Security report. Researchers found that of the top 100 paid apps available on iOS, 87% had been "hacked in a way that produced cloned or repackaged versions." Ninety-seven percent of the top 100 paid apps in Android had been cloned. Of the 20 most popular free apps, 75% had been hacked or cloned on iOS, 80% on Android. Separate research cited in the report found more than half of all cloned apps are malicious. The report, which comes on the heels of November's WireLurker and Masque attacks, highlights mobile app vulnerabilities of reverse-engineering, repackaging and republishing, as well as the importance of building self-defending mechanisms into mobile apps and providing runtime protections and self-repairing measures to reduce the attack surface and prevent mobile risks.
- Researchers at Cisco Systems Inc.'s Talos Security Intelligence and Research group announced Tuesday that the Angler exploit kit has integrated a new technique to avoid detection. The technique, called "domain shadowing," involves using domain registration credentials to create subdomains that redirect users to malicious content or host malicious content themselves. Talos Threat Researcher Nick Biasini wrote in a Cisco blog post Tuesday that almost 10,000 unique subdomains have been detected, and that while domain shadowing dates back to 2011, more than 75% of subdomain activity occurred since December, "indicating a major shift in approach." The majority of the subdomains, researchers found, were held by GoDaddy Inc., which accounts for almost one-third of all domains on the Internet. Talos researchers wrote in the blog post that detecting domain shadowing is difficult due to the fact that it not only makes blacklisting difficult, but also because most users only log into their domain registrar to renew registration. The inclusion of zero-day attacks and domain shadowing in the new version of Angler make it one of the most sophisticated toolkits Talos has seen.