Internet companies are building a vulnerability reporting incentive platform

Following Google and Facebook to launch the vulnerability Award program, domestic internet companies have also built their own vulnerability incentive platform to encourage security technology experts to identify and notify the Enterprise vulnerability information. A researcher named Mil3s Beep has received a cash reward of more than 35,000 yuan since the 360 security vulnerability response platform was online.

Previously, the so-called 0day vulnerabilities (which have never been made public or patched) usually only circulate in the underground "black market", being used by hackers for cybercrime and profiting from China. However, if the manufacturer to change the point of view, in fact, often in the vulnerability after the attack is most likely to detect vulnerabilities, make patches, so the loss is also difficult to avoid. It is reported that hackers often found some popular software and operating system loopholes, can often be in the "black market" profit as high as thousands of to tens of thousands of U.S. dollars, and if found an iOS loophole even sell hundreds of thousands of dollars.

But as companies such as Google launch the vulnerability Incentive program, a large number of security technology experts began to report these vulnerabilities to vendors for compensation. Public data show that Google, Facebook in the past few years, the amount of vulnerability incentive has accumulated more than million dollars. Even Microsoft, which claims to have never bought loopholes, has launched the Blue Hat Award this year (Bluehatprize), which can report bonuses up to $250,000 trillion. At the same time, in the Blackhat, Defcon, Syscan and other security summits also often held a security attack and defense competition, the international software giant on-site collection of loopholes, the same bonus is not cheap.

Since 2012, the domestic launch of the vulnerability incentive scheme of the Internet companies have also been more up, including Tencent, 360, Baidu, Beijing-east, NetEase and so on, but most of the gift as a loophole reward. According to Tencent's "2012 Tencent Vulnerability Award Scheme" work report shows that Tencent last year handled the external feedback of the 2,288 security vulnerabilities, for the vulnerability of the report to provide the prizes, plus mailing fees, prizes, a tax, labor costs input of 300,000 yuan, an average of 131 yuan per loophole reward, including QQ dolls, Q-coins are also being Tencent as a prize.

By contrast, 360 of the bug-reporting rewards were cash-focused, and some of the less-threatened vulnerabilities were rewarded with gifts such as a mouse suit and a U disk. 360 security vulnerability Response platform since the launch in May 2012, pure bonus expenditure of 89,400 yuan, the average bonus of each loophole reached 1314 yuan.

Encouraged by relatively generous incentives, the 360 security vulnerability response platform has increased the level of activity, from the days of the letter Alpha Laboratories, security research institutions Binvul, 52Pojie Forum and other professional manufacturers and Web sites of technical experts are the 360 vulnerability award platform of the list of thanks to the frequent guests, It is very common for a person to win many prizes. An anonymous master mil3s beep, for example, has received a $35,000 vulnerability report bonus. The highest record of single bonuses reached $7500, which was obtained by another anonymous person, oo.

There is a view that the vulnerability Reporting incentive scheme is a useful complement to Internet security, and that high cash incentives can encourage security researchers to actively look for vulnerabilities and report to businesses, rather than selling them to the black market, and reasonable remuneration is also a respect for the job of the vulnerability-reporting people. But domestic firms are still less rewarded for loopholes than foreign internet giants. The latest news suggests that Google has announced an increase in the amount of the underlying vulnerability to $5000 from $1000 trillion.