Barracuda Networks announced on Tuesday that it will pay over $3,100 to anyone who can hack into its security products. This bug bounty program is the first of its kind from a pure-play security vendor.
“This initiative reflects our commitment to our customers and the security community at large,” said Paul Judge, Chief Research Officer at Barracuda. The security firm has included its Spam & Virus Firewall, Web Filter, Web Application Firewall, and NG Firewall in the bug bounty program.
Patch or Public Disclosure
Last week, Google launched a bug bounty program to pay for vulnerabilities, joining many other vendors willing to pay security researchers for information about vulnerabilities. These efforts aim to fix flaws as soon as possible to prevent exploitation as zero-day attacks.
Barracuda's bug bounty program will pay up to $3,133.70 for "particularly severe bugs," a nod to the slang "leet" number 31337, meaning "elite" in the security community. The starting reward is $500.
Exclusions and Acceptable Bugs
The following bugs and attack types are excluded from the program:
- Use of automated testing tools
- Social engineering
- Denial-of-service attacks
- Physical attacks
- Attacks against Barracuda's customers
- Attacks against Barracuda's corporate infrastructure or demo servers
Acceptable bug types include those that compromise confidentiality, integrity, or authentication. Examples given are remote exploits, privilege escalation, cross-site scripting, code execution, and command injection. Vulnerabilities should be reported via email to BugBounty@barracuda.com using the PGP key found at https://www.barracudalabs.com/bugbountypgp.txt.
To qualify for the bug bounty, the bug must be disclosed only to the company. Once the issue is fixed, public disclosure of the issue is allowed.