UPDATE: Barracuda Networks has established a new rewards program for researchers that uncover bugs in the company’s security products.
Barracuda’s program follows in the footsteps of similar moves by Google and Mozilla to use incentives to get researchers to turn vulnerability information over to vendors as opposed posting it publicly on the Web or handing it to black hats.
Prizes for the bugs range from $500 to $3,133.70 depending on how the Barracuda Labs Bounty Panel judges their severity. Bounties can also be donated to charity upon request, the company said.
“Security product vendors should be at the forefront of promoting security research,” said Paul Judge, chief research officer at Barracuda Networks, in a statement. “This initiative reflects our commitment to our customers and the security community at large. The goal of this program is to reward researchers for their hard work as well as to promote and encourage responsible disclosure.”
Just recently, Google expanded its bug rewards program to include its Web properties, such as YouTube and Orkut. The program’s top reward is the same as the amount being offered by Barracuda – $3,133.70 – for anyone who finds critical bugs in Google’s Web applications and reports them directly to the company. Google first established its program earlier this year to reward people for reporting issues in Google Chrome.
The minimum reward from Google is $500. For now, Google’s client applications, such as Android and Google Desktop, are not in the scope of the program, though Google has said it may be expanded in the future.
Mozilla has operated a vulnerability reporting initiative for years. In order to qualify for theirs, the security bug must be present in the most recent supported, beta or release candidate versions of Firefox, Thunderbird, Firefox Mobile or in Mozilla services that could compromise users of those products. Valid, critical bugs can earn reporters up to $3,000.
In the case of Barracuda, the company has announced that the following products are in the program’s scope: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda Web Application Firewall and Barracuda NG Firewall. For now, only the appliance form factor of each of the products is fair game, and only the most recent generally available version qualifies.
Remote exploits, privilege escalation, cross-site scripting and other attacks that compromise confidentiality, availability or authentication are acceptable. Once the vulnerability is fixed, the finder can publicize it, the company said. Attacks against Barracuda’s corporate infrastructure, demo servers or customers are prohibited.
Update: This story was updated to reflect Barracuda’s clarification about rules regarding acceptable bugs.