Alex Rice spent five-and-half years working as head of product security at Facebook before he helped found HackerOne, provider of a platform that enables organizations to run bug bounty programs. At HackerOne, Rice has teamed with his former employer as well as Microsoft to help sponsor and operate the Internet Bug Bounty.
Rice explained that the Internet Bug Bounty covers approximately a dozen open source projects that are critical to the functioning of the Internet, including PHP, perl, Python, Ruby, OpenSSH and others. Such projects typically don’t have the resources to run their own bug bounty programs, Rice said.
Security researchers participating in bug bounty programs are given a “bounty” or financial award for responsibly disclosing security vulnerabilities. Bug bounty programs are an increasingly popular tool employed by Google and other companies.
“The vulnerabilities go directly to the project maintainers and are fixed directly by them,” Rice said. “Facebook and the other Internet Bug Bounty panelists then award the researchers.”
The Linux Foundation is leading another large effort to help improve open source security, known as the Critical Infrastructure Initiative (CII). In Rice’s view CII helps projects improve their best practices and overall security hygiene during the development stage.
“The Internet Bug Bounty comes in on the tail end of that (CII), assuming that even with the investment there, just like any good security program something is going to get through,” Rice said.
Watch the full video interview with Alex Rice below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.