Microsoft is no stranger to using bug bounty programs to track down security problems and other issues with its software and services. Now the company has launched an Xbox bug bounty program, offering payouts of up to $20,000 to anyone finding vulnerabilities.
The particular aim of this bounty program is to find issues with the Xbox Live network and services. Microsoft says the amounts it will pay gamers and security researchers who report problems will depend on the severity and impact of the vulnerability, as well as the quality of the submission.
Organizations face a greater range of cyber threats than ever before. The key to dealing with these threats is better intelligence about the latest vulnerabilities.
We spoke to Jay Prassl, CEO of cyber hygiene startup Automox, which has recently launched an open community to foster cyber hygiene best practices, to find out more about how crowdsourcing and information sharing can help reduce the corporate attack surface.
According to a new study 90 percent of IT professionals believe disclosing vulnerabilities serves a broader purpose of improving how software is developed, used and fixed.
The survey from application security testing specialist Veracode finds more than a third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, improving overall security.
Bug bounty programs have become a popular way for developers to track down security issues in software, but big pay-outs are not something that every company can afford.
In a bid to keep its Android platform secure, Google has announced that its own bug bounty program is being expanded to include all big Android apps, regardless of who develops them. The company will reward security researchers who find bugs in any app in the Google Play Store with 100 million or more installs.
Facebook's plans to venture into the world of cryptocurrencies has proved highly controversial, but the social media giant is plowing on regardless. The company and the partners it is working with on Libra have launched a public bug bounty program, offering pay-outs of up to $10,000 per bug.
Announced by the Libra Association, the aim of the Libra Bug Bounty Program is to "strengthen the security of the blockchain". The association wants to track down " security and privacy issues and vulnerabilities".
With a new beta of the Chromium-based version of Edge now available, Microsoft has unveiled details of a new bug bounty program for the browser.
Through the Microsoft Edge Insider Bounty it is possible to earn a maximum payout of $30,000 for discovering vulnerabilities in the Dev and Beta builds of Edge. Microsoft says that it intends to complement the Chrome Vulnerability Reward Program, meaning that any report that affects the latest version of Microsoft Edge but not Chrome will be eligible.
Bug bounty programs are a common way for companies to learn about problems with their hardware and software, while giving people the chance to get paid for finding them. Apple is one of the big names to run such a program, and it has at long last expanded it to included macOS.
The iPhone-maker made the announcement at the Black Hat security conference, where it also revealed that not only will its bug bounty program spread to tvOS, watchOS and iCloud as well, but also that the maximum reward is increasing to a cool $1 million.
Version 3.0.7 of VLC has been released, and while it may seem like a minor x.x.x update, it includes more security fixes than any other previous release -- including two high security issues.
Jean-Baptiste Kemp, the president of VLC-maker VideoLAN, says the number of fixes included in this version is due to the EU-FOSSA bug bounty program, funded by the European Commission.
Bug bounty programs are a popular way for tech companies to track down problems with their products without having to spend large sums of money on dedicated research teams. Microsoft is one of the big names with such a program, and it has just announced that it is increasing the payouts it makes.
As well as offering people more money for finding issues with its products, Microsoft also says that it will pay people faster.
Now in its fifth year, the GitHub Security Bug Bounty has been updated to offer larger rewards to those who find bugs. At the same time, the scope of the program is being expanded and protections for researchers have been added through new Legal Safe Harbor terms.
As well as expanding the program to cover any of its "first-party services", GitHub has effectively removed any upper limit on the size of reward pay-outs for critical bugs.
A disgruntled security researcher has revealed a one-click exploit that takes advantage of a macOS vulnerability to reveal all of the passwords stored in a Mac's keychain.
Linus Henze developed an exploit tool called KeySteal that uses a 0-day bug to extract keychain passwords on macOS Mojave and older. He stresses that neither root access nor administrator privileges are required, and no password prompts are generated by the tool. Henze is not going to help Apple to fix the problem because the company does not offer a bug bounty program for macOS.
Starting in January, the European Commission is going to fund bug bounty programs for a number of open source projects that are used by members of the EU. The initiative is part of the third edition of the Free and Open Source Software Audit (FOSSA) project, which aims to ensure the integrity and reliability of the internet and other infrastructure.
In all, the Commission will fund 15 bug bounty programs, with rewards ranging from €17,000 ($19,400) to €90,000 ($103,000).
With at least 87 million Facebook users affected by the data abuse by Cambridge Analytica, the social network is now on a mission to clean up its image. After rolling out tools, issuing notifications, and testifying in front of Congress, Facebook is launching a new bounty program that rewards people who report instances of data abuse.
The Data Abuse Bounty is a new program that offers from $500 to $40,000, and it aims to clamp down on the misuse of data by app developers. Launched just before Mark Zuckerberg's testimonies this week, it's a clear attempt by Facebook to curry favor.
As much as we'd like to think otherwise, no software is free of security issues. That's why it's important for tech companies to play an active role in finding and fixing as many bugs as possible before they're exploited. Implementing a bug bounty program can be very effective, as the product is exposed to various testing mindsets and approaches which can uncover some nasty surprises.
Netflix, which has over 100 million users across the globe, today introduces its first bug bounty program that's open to the public, with rewards that can reach $15,000 for the most-valuable findings that security researchers report.
Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year.
The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.