Microsoft and Facebook want to find security problems with some of the key technologies that power the web. The pair have teamed up to create an internet bug bounty project, dubbed HackerOne, that rewards security researchers for finding issues with PHP, OpenSSL, Apache, and even the underlying internet communication protocols. Rewards range from minimums of $300 to $5,000 depending on the specific vulnerability and the associated severity. Volunteers from Facebook, Microsoft, and even Google will form a panel to judge the entries, and there’s a list of disclosure rules to ensure bugs are reported and disclosed correctly.
While Microsoft, Facebook, and Google all compete online, the collaboration is designed to target high profile bugs that could cripple key internet infrastructure. "Even if we are fierce competitors... the security teams don't have to be competitors," says Facebook product security lead Alex Rice in an interview with Reuters. "Our competition is the bad guys." Both Facebook and Microsoft currently offer their own separate bug bounty programs that reward hackers with cash for key software problems. Facebook was recently accused of ignoring a security bug report, forcing a researcher to post details on CEO Mark Zuckerberg’s wall. Microsoft has paid over over $128,000 on bug bounties so far, with $100,000 awarded for flaws that worked around security protections in Windows 8.1.