Microsoft and Facebook under the auspices of HackerOne have announced a bug bounty program for the key applications that power the Internet. The bounty covers a wide range of applications from the sandboxes in popular browsers to the programming languages that power the LAMP stack, php, Perl, Ruby and Rails, to the the web servers that serve up the content, nginx and apache and others. Bounties for a successful vulnerability report are from a few hundred dollars to a couple of thousand.
I have, in the past, been on the fence over the value of bug bounties. But the recent spate of zero-day attacks have made me rethink this stance. It is clear that we need to find a way to reduce the number of vulnerabilities in software as early in the software development cycle as possible. I come from a software development background and am painfully aware of how difficult it is to avoid making mistakes in coding, and testing can never exercise all possible ways an application can be abused. I was once of the belief that code coverage tools and dynamic and static analysis tools would close that gap somewhat, but what tools do exist have not met expectations.
Until the unlikely day comes that we can ensure applications are deployed without vulnerabilities perhaps the best we can achieve are bug bounties to help stay a bit ahead of the bad guys.