FireEye’s bug bounty program goes public
FireEye has opened the gates of its bug bounty program to the public after running privately for several months.
On Wednesday, the cybersecurity firm said the scheme is now open to any researcher or bug bounty hunter willing to take a look at in-scope FireEye domains and services.
Bug bounty programs, hosted on platforms including HackerOne and Bugcrowd, are a way to ‘crowdsource’ the hunt for vulnerabilities. Thousands of organizations now offer bug bounties to researchers who privately disclose security flaws they find through these programs and provide both financial rewards and credit in return.
These programs can free up internal security teams for other jobs and can also provide access to broader talent pools to prevent breaches or successful cyberattackers based on unknown bugs from taking place.
“We understand that — despite our best efforts — we cannot eradicate all security vulnerabilities,” FireEye says. “The technology landscape is constantly expanding, and as such, there will always be emerging threats. While we’ve been heavily involved with responsible disclosure, including helping other companies set up and modify their own programs, we are taking the next step in this effort.”
The bug bounty program focuses on FireEye’s corporate infrastructure.
To date, the program — ran via Bugcrowd — has been private, but now, any registered researcher can try their hand at finding vulnerabilities across domains including fireeye.com, fireeyecloud.com, and mandiant.com, as well as existing DNS setups.
As website domains are the only in-scope targets at present, the rewards on offer could be considered relatively low, with up to $2,500 offered for critical vulnerabilities. However, FireEye intends to expand the program to include products and services “in the coming months.”
Research is conducted under safe harbor principles.
In January, Google revealed that researchers were paid $6.5 million throughout 2019 by way of the tech giant’s bug bounty program. Since 2010, over $21 million has been awarded through bug bounties.
During 2019, the highest earner was a researcher who found a one-click remote code execution (RCE) exploit on Pixel 3 devices, netting him over $200,000.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0