Security vendor Barracuda Networks is jumping on the ‘bug bounty' bandwagon, offering rewards to researchers who can identify vulnerabilities in the company's firewall and Web filtering products.
The company says its Bug Bounty Program is "an initiative that rewards researchers who identify and report security vulnerabilities in the company's security product line," adding that it is the "first security vendor to offer such a bold program." Other vendors including Mozilla and Google have similar vulnerability-catching initiatives.
Specifically, Barracuda's Bug Bounty program offers cash prizes ranging from $500 to $3,133.70 - depending on the severity of the bug -- to researchers who find flaws in its Spam & Virus Firewall, Web Filter, Web Application Firewall, and NG Firewall products. The high end of the cash award range matches Google's recent increase in its own bounty program for its Web-based products; Barracuda explains that the figure "pays homage to `eleet.' This is used by some in the security community as slang for elite and is sometimes referred to as 31337." The Barracuda Labs Bug Bounty Panel will judge the severity of found bugs, according to company officials.
Eligible bug types include those that compromise confidentiality, availably, integrity or authentication, says the company. Researchers who find bugs in Barracuda's security products can report them via an email address and PGP key. Bugs must be reported in confidentiality to Barracuda; the company says once the bug is verified and fixed the bug reporter may disclose it publically.
Paying for individuals to find bugs in vendor software is becoming more popular as the market for vulnerability information grows, says Dennis Fisher who blogs for ThreatPost, a news service provided by security vendor Kaspersky Lab.
"As a profitable, legitimate market for vulnerability information has developed in recent years with the success of the Zero Day Initiative and other third-party brokers, there has been more and more pressure on the vendors themselves to pay for bugs," Fisher writes.