14 DAY TRIAL // The Internet Bug Bounty (IBB) – the program launched back in November 2013 by a group of security experts and backed by Microsoft and Facebook – has issued its first $10,000 / €7,300 reward for a critical Flash Player vulnerability patched by Adobe back in December 2013.
David Rude, a researcher with iDefense Labs, is the one who got the reward. However, he’s not the one who found it, and the vulnerability wasn’t even reported to the IBB in the first place. Instead, the expert who found it reported it directly to Adobe through standard channels.
That’s what’s interesting about the IBB. Rude had only identified an attack that leveraged the security bug.
“IBB culture is to look mainly at whether a given discovery or piece of research helped make us all safer. Our aim is to motivate and incentivize any high-impact work that leads to a safer internet for all,” Chris Evans, a Google security engineer and a member of the IBB panel, noted in a blog post.
Evans highlights the fact that fixing the bug is a “service to all Internet users, democracy and human rights.” That’s because Citizen Lab has linked the exploit to an attack targeted at journalists in countries with poor human rights records.
“IBB does not want or need details of unfixed vulnerabilities -- that would violate strict need-to-know handling,” Evans said.
“Once a public advisory and fix is issued, researchers or their friends may file IBB bugs to nominate their bugs for reward. Or, for important categories such as Flash or Windows / Linux kernel bugs, panel members keep an eye out for high impact disclosures and nominate on the researchers' behalf. Because we care.”
The IBB issued rewards before, but none of them has been as high as this one.