Microsoft and Facebook Launch Internet Bug Bounty Program

An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."

If you can't beat them ..

[arisvega]

.. bribe them.

Re:

[fuzzyfuzzyfungus]

.. bribe them.

Strictly speaking, unless the bounties get substantially bigger than the minimum, and relatively quickly, it's more along the lines of 'If you can't beat them, see if you can provide additional motivation to people already on your side; but perhaps not bothering to focus on the problems you care about."

Re:

[Anonymous Coward]

If you can't beat them ..
.. bribe them.

Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

Does anyone know where we can go to discuss real tech?

Re:

[Behrooz Amoozad]

phoronix, theregister, arstechnica, there is a whole plethora of sites for real tech.I'm getting tired of all M$ and facebook things too.
If I liked facebook I'd be there already.

Re:

[jones_supa]

Looks like that's what's happened to Slashdot. Microsoft seems to own the front page now.

Does anyone know where we can go to discuss real tech?

I am but glad that Microsoft stuff is occasionally featured on the Slashdot front page too. It is as important company as Apple, Samsung, Red Hat, Intel or whatever. I want to hear about MS too: both their successes and embarrassing mistakes.

However in addition to Slashdot I also read a site called InfoQ [infoq.com], they have pretty good stuff too.

Mistake

[Rosco P. Coltrane]

The minimum fine for hacking any component of the Internet is $5,000

There, fixed that for you.

Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

Re:

[Joining Yet Again]

AC [from basement]: Mooooooom they're not using English words they way I want them to be used.

Mom: Why don't you call the Académie anglaise?

AC: Moooom ur SOOOOOO dumb there isn't an Académie anglaise you see English is a descriptive language GOD THIS IS TYPICAL PUBLIC SCHOOL AMERICAN EDUCATION...

Mom: Erm, you went to a publi.. never mind, your sarcasm/nuance detector is clearly broken. OK, so given that words evolve, what do you think we can do about it?

AC: Moooooooooooom call my lawyer it's sland

Re:

[VortexCortex]

The minimum fine for hacking any component of the Internet is $5,000

There, fixed that for you.

Didn't you know? Hacking has become a criminal activity that sends you to court nowadays...

No, using the word hacking and automatically associating it with illegal activity is the true crime here.

And I want to start threatening it at a criminal level (in the same way someone would decree libel or slander) in order to get that fucking point across.

The only difference between "hacking" and "research and development" is legality and/or sponsorship (Government would be in the "or" category, for they don't give a fuck about laws. Ref. NSA).

I agree with you. However, it's too fucking late. [slashdot.org]

They control the discourse, and the media is not your friend. [youtube.com] You should have considered them the enemy long ago. Now it's too late. The system is full of maliciousness. I'm afraid you'll have to wipe the platters, reboot and rebuild from a known good state.

Re:

[wonkey_monkey]

No, using the word hacking and automatically associating it with illegal activity is the true crime here.

The only difference between "hacking" and "research and development" is legality

Make your mind up.

The Internet?

[Anonymous Coward]

Hacking the Internet? Must be a new form of hacking the Gibson.

Re:

[magic maverick]

You just need to hit stop early enough. It is quite strange though. The text:

The Internet

Hack all the things.

Bounties provided by IBB

Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Boun

Simple very effective solution

[jkrise]

Redirect facebook.com and microsoft.com and all their servers and namesakes to 0.0.0.0 or to 127.0.0.1 in the root DNS servers. Problem solved.

Re:

[Thanshin]

Unless the Root DNS server has acquired conscience and is posting as AC on Slashdot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[fuzzyfuzzyfungus]

Hmm... You have a point there.

Incidentally, I bet it would be cheaper to buy a law declaring people who sell exploits on the black market to be criminally responsible, as 'conspirators', for any and all subsequent use of them, thus encouraging people to remain in our sharecropper bounty system, than it would be to actually pay the workers more...

Re:

[h4rr4r]

You have to pay taxes on all income, including the illegal kind. So there is no problem with paying your mortgage that way.

Re:

[fuzzyfuzzyfungus]

A certified letter from the IRS would be polite. A DEA SWAT team who assumes that your mystery-money is a sign of drug dealing... Less so. Be sure that your dog isn't home at the time and that there are no flammible family members who might experience adverse effects is somebody threw a flashbang too close to them.

Re:

[auric_dude]

Just wondering why Microsoft and Facebook let code out of the door that has these defects, is it an altruistic gesture to foster and finance an informal quality control and code testing stratum of society?

Re: in a strange twist of fate

[UnknownSoldier]

I dispise MS and Facebook as much as the next guy but show me bug-free code and I have a bridge I'd like to sell you. However your point about the absymal lack of Quality Assurance is with merit considering the resources these have to do a better job of testing.

Re:

[mlw4428]

The difference is that with the black market one could fine oneself without need of a mortgage as one will have their housing provided by a state or federal penitentiary.

Re:

[mlw4428]

Oops -- should say "find", not fine.

Re:

[Mr_Silver]

the black market on the other hand offered to pay handsomly a years salary for my exploit that breaks microsoft embedded security in appliances like ATM's and nuclear reactors, thereby recognizing and acknowledging my important work in the field of security.

So what? It's well known that crime always pays significantly better than being honest - unless, of course, you get caught.

A smash and grab robber in a Rolex store is going to make more $ per hour than your server in McDonalds or even a white collar work

Meh

[CuteSteveJobs]

NSA will pay me twice that much! :)

Re:

[VortexCortex]

No they will not. They will pay the rate going on the black market, for the exploits they purchase. [theatlantic.com]

I agree with the general gist, but if you're marketing to the NSA, you're also marketing to all the other black market exploit buyers. The price can be far higher depending on the exploit. Interestingly, this means the NSA is helping support the exploit vector black market, and this is a threat to national security...

"It's not just us!!"

[markdavis]

"
Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share.
Be severe: vulnerability has extreme negative consequences for the general public.
Be novel: vulnerability is new or unusual in an interesting way.
"

So MS

Re:

[Burz]

https://bugzilla.redhat.com/buglist.cgi?component=vulnerability&order=bug_id%20DESC&product=Security%20Response&query_based_on=&query_format=advanced

OTOH, MS helps the NSA keep a secret catalog of zero-days to use at their leisure.

Re:

[Burz]

Notice there is no mention of IIS or other MS products in the article or the linked page.

Re:

[Skiron]

I expect they was scared that the links would flag all sorts of virus/trojan warnings in a users browser...

NSA Cashes In!

[__aaltlg1547]

I bet they could make $100,000,000 the first day.

Microsoft and Facebook are the biggest bugs

[oo_00]

Microsoft is the biggest and most harmful bug of all time in computing quality and security.
And Facebook is the biggest privacy bug.

Where do I report them?

WTF

[Skiron]

What do Microsoft and Facebook have to do with the Internet, ffs. They are CUSTOMERS of it, not owners.

Re:

[kekx]

Even if that is the case (which it isn't in my opinion), why would you complain if your customers pay to improve your product? This is obviously good for "the internet" (whatever that is).

Re:

[freeze128]

It's also good for Microsoft's bottom line. They are asking people to find exploits in the TCP/IP stack, which they will *NOT* patch in Windows XP. Then support will end for Windows XP, and with all these exploits floting around, will force people to buy more Microsoft Windows 8.1 goodness.

Re:

[kekx]

I did not debate that, it's also quite obvious, that it is good for Microsoft - in a variety of ways - , otherwise they wouldn't be paying $$ for it ;)