Bruce Schneier talks about security as a process, because the work of securing systems is never complete. And in the spirit of this, F-Secure has launched a new Vulnerability Rewards program – or “bug bounty” as they’re sometimes called – to give everyone the opportunity to help F-Secure improve its products. Bug Bounties are one way companies can test the security of its products, and have been used by companies like Google, Facebook and Microsoft because it gives more people the opportunity to test products and contribute to their development.
“Our products all have a service component, because we work hard to maintain them,” says Jose Perez, a Senior Researcher at F-Secure Labs. ““We have to make sure they’re protecting users from the latest threats, but we also need to make sure that the applications themselves are airtight. So this program lets people explore the software built into the applications, and make a bit of money if they can point something out to us that needs to be improved to better protect our customers.”
The program will give people that find security vulnerabilities in selected F-Secure applications a reward ranging from €100 to €15 000. A security vulnerability, for the purposes of the program, is defined as:
“…an issue that causes a breach of confidentiality, integrity, or availability of the service or data, or applies to personal data (privately identifiable information) being stored or processed in a way that is not compliant with the current Finnish data protection legislation.”
So how can someone get started looking for security vulnerabilities in F-Secure’s products?
“Well, it’s kind of difficult for me to just make bug hunting sound easy,” laughs Perez. “But I would tell people to start by getting ahold of a guide to help them walk through the whole process. I hear that A Bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security is a pretty good one, and it’s as good a place to start as any.”
Anyone interested in taking part in the bug bounty should check the program’s rules and disclosure policies listed on the program’s web page.
[ Image by Lauren Hammond | Flickr ]
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
The absence of regulation is what has resulted in the innovation of software we see today.…
September 13, 2017