Bug Bounty Program Award Winners 2015 - Exclusive Interview by United Airlines & Facebook

Editorial_Staff_Team's picture

Announcement of the Bug Bounty Program Award Winners 2015 - Exclusive Interviews with United Airlines & Facebook

We worked hard to represent the winners of 2015 after the nicely solved first award ceremonie in 2014. This year we exclusivly release the winners of the international "Bug Bounty Awards". The award is nominated twice for the "Best Upcoming Bug Bounty Program" and the "Best Bug Bounty Program" of the year.

The winners of the award are nominated via email vote by 100 vulnerability laboratory researchers and 101 independent or individual security researchers. The voting results will be multiplied to finally discover the winners. Be welcome to visit the new awards module in the vulnerability laboratory infrastructure with archive.

Winner of the Best Bug Bounty Program of the Year 2015 (Facebook)

Characteristics of the "Best Bug Bounty Program of the Year 2015"
The best bug bounty program of the year must have the following characteristics to win the independent sec competition.

- Trustworthiness and reliability in handling with reported security gaps
- Expression and expansion of the public security program service
- Announcement of program updates or policy upgrades
- Cooperative exchange (Researchers & Teams)
- Fast Response to the Research Community
- Good Coordination (Researchers & Teams)
- Reliability of the bug bounty payouts
- Transparency of the program

URL: http://www.vulnerability-lab.com/list-of-bugbounty-program-year.php

The first interview questions are answered by a representative of the official facebook security department (bug bounty program). In december to january 2015 facebook won the voting of the "Best Bug Bounty Program in 2015". Melanie managing the security departments and the team is responsible for the official facebook bug bounty program. The representatives of the facebook security department accepted the official and international award nomination for the "Best Upcoming Bug Bounty Program in 2015" by the Vulnerability Laboratory.

Vulnerability Lab: What 3 countries are the most active once in the official Facebook Whitehat (Bug Bounty) Program?

The countries with the most bounty recipients are, in order, the US, India, UK, Turkey, and Germany. The countries with the fastest growing number of recipients are, in order, the US, India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia.

Vulnerability Lab: How long is the Facebook Whitehat Program activly available as resource to the security department?

Facebook: Since 2012

Vulnerability Lab: Which amount was the highest payment ever issued by the Facebook Whitehat Program?

Facebook: Our largest single bounty so far has been $20,000. The top five earners last year collectively netted $256,750.

Vulnerability Lab: After some years participating indepenently with an own bug bounty program, would the security department say that something activly changed in sight security of the infrastructure?

Facebook: So far the program has been even more successful than we'd anticipated: We've paid out more than $1 million in bounties, and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.

Vulnerability Lab: Are you satisfied with the responses/feedback you get from the indepenent researcher scene regarding the Facebook Whitehat Program?

Facebook: Yes

Vulnerability Lab: Did the official bug bounty program helps the company to get more less cyber damage (hacking, exploits, unauthorized access, spoofing, phishing and co.)?

Facebook: Yes, i helped us to figure out new issues but prevention as well.

Vulnerability Lab: What are the future plans of the official bug bounty program in 2016/2017?

Facebook:

Vulnerability Lab: How much researchers did participate successful in the official Bug Bounty Program until today?

Facebook: 321 active researchers with a successful payment in 2014

Vulnerability Lab: Are you proud about the results of the independent security award nomination to your company?

Facebook: Bounties get better than ever, please review ... https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/

URL: http://www.vulnerability-lab.com/awards.php?type=best&year=2015

Winner of the Best Upcoming Bug Bounty Program of the Year 2015 (United Airlines - Star Alliance)

Characteristics of the "Best Upcoming Bug Bounty Program of the Year 2015"
The best bug bounty program of the year must have the following characteristics to win the independent sec competition.

- Startup in the bug bounty market business
- Trustworthiness and reliability in handling with reported security gaps
- Expression and expansion of the public security program service
- Announcement of program updates or policy upgrades
- Cooperative exchange (Researchers & Teams)
- Fast Response to the Research Community
- Good Coordination (Researchers & Teams)
- Reliability of the bug bounty payouts
- Transparency of the program

URL: http://www.vulnerability-lab.com/list-of-best-upcomings-bugbounty-program.php

The second interview questions are answered by a representative of the official united airlines (security department) bug bounty program. In december to january 2015 united airlines won the voting of the "best upcoming bug bounty program in 2015". Ben, Carla, Igor, Josh, Becky & Louisa are managing the security departments bug bounty program and the team is responsible for the official united airlines bug bounty program as well. The representatives of the united airlines security department accepted the official and international award nomination for the "Best Upcoming Bug Bounty Program in 2015" by the Vulnerability Laboratory.

Vulnerability Lab: How did United get the idea to launch a "Bug Bounty Program"?  

United Airlines (Security Department):United began planning for our Bug Bounty program in December 2015 after seeing the positive results that technology companies like Facebook have had by empowering the research community.  We saw an opportunity to lead our industry in cyber security and we took it!

Vulnerability Lab: How does the program benefit the security research community?  

United Airlines (Security Department): Many Bug Bounty programs issue cash payments as awards but we chose to issue Mileage Plus miles for our program.  It’s a unique benefit that no other type of company can offer and by offering our researchers the ability to fly anywhere that United or our Star Alliance partners fly we think we will always attract new researchers to the program.

Vulnerability Lab: Which are the most active countries in the Bug Bounty program?  

United Airlines (Security Department):Our program is worldwide – we have had researcher submissions from the US, Germany, Russia, Brazil, Ethiopia, Australia, India, France, and many other countries.

Vulnerability Lab: Did the reported vulnerabilities help United secure its services?  Absolutely! 

United Airlines (Security Department):We have had great success with the Bug Bounty program and encourage all large companies to consider opening their own Bug Bounty programs.

Vulnerability Lab: What was the largest amount of miles issued to a researcher in the program? 

United Airlines (Security Department):We do not disclose bug or payment details in our program but we have issued payments of one million miles.

Vulnerability Lab: How long does it typically take for an issue to be fixed? 

United Airlines (Security Department):We have a release schedule for each bug reported to our program.

Vulnerability Lab: How many researchers have participated in the Bug Bounty program? 

United Airlines (Security Department):We have been encouraged by the level of interest in our program and the support of the research community!

Vulnerability Lab: What was the most significant problem with the researcher community? 

United Airlines (Security Department):United only issues award payments to the original bug submitter.  This means that follow-on researchers who report the same bug are notified that someone else identified the bug first.  It’s difficult to break the bad news to our researchers and we hope they understand our commitment to them and to the program!

Vulnerability Lab: Is the Bug Bounty team proud of this award?  Absolutely! 

United Airlines (Security Department):We value the security research community and are so grateful for the award!  We will place it in an honored place in our department office.

URL: http://www.vulnerability-lab.com/awards.php?type=upcoming&year=2015

Special @Thanks

Thanks to all the manufacturers for accepting the official bug bounty program award of 2015. We are proud about  the second bug bounty award nomination to the manufacturers and we will hopefully successful continue the project in the next years as well.

The picture above shows the award in the company of united-airlines next to the mega award in 2015.

Reference(s):

http://www.vulnerability-lab.com/awards.php

http://magazine.vulnerability-db.com/?q=articles/2015/05/08/bug-bounty-program-award-winners-2014-exclusive-interview-microsoft-paypal

http://magazine.vulnerability-db.com/?q=articles/2014/08/20/best-bug-bounty-program-year-2014-competition-award

http://magazine.vulnerability-db.com/?q=articles/2015/02/01/announcement-winners-best-bug-bounty-program-best-upcoming-program-best-issue

http://magazine.vulnerability-db.com/?q=articles/2015/01/12/bug-bounty-programs-manufacturer-award-31st-january-2015

Rate this article: 
Average: 3.7 (9 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.