Barracuda Networks Tuesday announced it will pay more than $3,100 to anyone who can hack into its security products, saying the bug bounty program is the first ever from a pure-play security vendor.
"This initiative reflects our commitment to our customers and the security community at large," says Paul Judge, chief research officer at Barracuda. The security firm lists its Spam & Virus Firewall, Web Filter, Web Application Firewall and NG Firewall as products in its bug bounty program.
Google last week launched a bug-bounty program to pay for vulnerabilities, and many other vendors are willing to pay security researchers for information about vulnerabilities they'd like to be able to fix as soon as possible before these flaws are exploited as zero-day attacks
The Barracuda Networks bug-bounty program will pay as high as $3,133.70 -- an allusion to the slang "leet" number-related spelling of 31337 for security "elite" --for "particularly severe bugs," according to the company. But the starting reward is $500.
The following bugs and attack types are said to be excluded: use of automated testing tools; social engineering; denial-of-service attacks; physical attacks; attacks against Barracuda's customers; attacks against Barracuda's corporate infrastructure or demo servers.
Acceptable bug types include "those that compromise confidentiality, integrity or authentication," with examples given of "remote exploits, privilege escalation, cross-site scripting, code execution and command injection." The company asks that vulnerabilities be reported via e-mail to BugBounty@barracuda.com using the PGP key at http://www.barracudalabs.com/bugbountypgp.txt.
To qualify for the bug bounty, the bug must be disclosed only to the company, Barracuda specifies, and once the "issue is fixed, you will be able to publicly disclose the issue."