CloudFlare Launches Bug Bounty Program

[Ecolor]

At the https://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309 unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine whether private SSL keys really could be leaked via the exploit. (Spoiler alert: they can.) And now, building on the back of that interaction with the research community, CloudFlare is launching a new vulnerability disclosure program in conjunction with the HackerOne bug-bounty platform.

CloudFlare is part of the newer wave of infrastructure and platform companies that are offering rewards to researchers who responsibly disclose vulnerabilities. Most of these organizations–such as Yahoo, Google, PayPal, Facebook and others–pay out monetary rewards to researchers who meet their conditions. CloudFlare isn’t giving researchers money, but rather a one-year professional subscription to the company’s service, recognition on its site and an exclusive t-shirt.

“We spent a lot of time considering the best way for us to manage a vulnerability reporting program, including evaluating several crowd-sourced solutions. We chose to partner with HackerOne to power this program because not only have they streamlined the disclosure process, but we also agree with their vulnerability disclosure https://hackerone.com/guidelines They have also partnered with Nginx, PHP, Yahoo, OpenSSL and a range of security-minded companies,” Jamie Tomasello of CloudFlare wrote in a Improving vulnerability disclosure for researchers | CloudFlare Blog announcing the new program.

Sursa: CloudFlare Launches Bug Bounty Program | Threatpost | The first stop for security news