Barracuda Networks has started a vulnerability rewards program to encourage the security community forward with bugs in its products.
UPDATE: Barracuda Networks has established a new rewards program
for researchers that uncover bugs in the company's security products.
Barracuda's program follows in the footsteps of similar moves by
Google and Mozilla to use incentives to get researchers to turn
vulnerability information over to vendors as opposed posting
it publicly on the Web or handing it to black hats.
Prizes for the bugs range from $500 to $3,133.70 depending on how
the Barracuda Labs Bounty Panel judges their severity.
Bounties can also be donated to charity upon request, the company said.
"Security product vendors should be at the forefront of promoting security research
said Paul Judge, chief research officer at Barracuda Networks, in a
statement. "This initiative reflects our commitment to our customers
and the security community at large. The goal of this program is to
reward researchers for their hard work as well as to promote and
encourage responsible disclosure."
Just recently, Google expanded
bug rewards program to include its Web properties, such as YouTube and
Orkut. The program's top reward is the same as the amount being
offered by Barracuda - $3,133.70 - for anyone who finds critical
bugs in Google's Web applications and reports them directly to the
company. Google first established its program earlier this year to
reward people for reporting issues in Google Chrome.
The minimum reward from Google is $500. For now, Google's client
applications, such as Android and Google Desktop, are not in the scope
of the program, though Google has said it may be expanded in the
Mozilla has operated a vulnerability
initiative for years. In order to qualify for theirs, the security bug
must be present in the most recent supported, beta or release candidate
versions of Firefox, Thunderbird, Firefox Mobile or in Mozilla services
that could compromise users of those products. Valid, critical bugs can
earn reporters up to $3,000.
In the case of Barracuda, the company has announced that the
following products are in the program's scope: Barracuda Spam &
Virus Firewall, Barracuda Web Filter, Barracuda Web Application
Firewall and Barracuda NG Firewall. For now, only the appliance form
factor of each of the products is fair game, and only the most recent
generally available version qualifies.
Remote exploits, privilege escalation, cross-site scripting and
other attacks that compromise confidentiality, availability or
authentication are acceptable. Once the vulnerability is fixed, the
finder can publicize it, the company said. Attacks against Barracuda's
corporate infrastructure, demo servers or customers are prohibited.
Update: This story was updated to reflect Barracuda's clarification about rules regarding acceptable bugs.