Barracuda Offers $3,000 Bug Bounty

Security firm Barracuda Networks is offering payment of up to $3,100, for researchers who find vulnerabilities in its products.

The move follows similar incentives by Google and Mozilla, and is intended to persuade researchers to hand over vulnerability information to vendors quickly, instead of posting it on the Web or handing it into the econsystem of hackers.

Payment by severity

Prizes for the bugs range from $500 to $3,133.70 (£310 to £1950)  depending on how the Barracuda Labs Bounty Panel judges their severity. Bounties can also be donated to charity upon request, the company said.

“Security product vendors should be at the forefront of promoting security research,” said Paul Judge, chief research officer at Barracuda Networks, in a statement. “This initiative reflects our commitment to our customers and the security community at large. The goal of this program is to reward researchers for their hard work as well as to promote and encourage responsible disclosure.”

Just recently, Google expanded its bug rewards programme to include its Web properties, such as YouTube and Orkut. The program’s top reward is the same as the amount being offered by Barracuda – $3,133.70 – for anyone who finds critical bugs in Google’s Web applications and reports them directly to the company. Google first established its program earlier this year to reward people for reporting issues in Google Chrome.

The minimum reward from Google is $500. For now, Google’s client applications, such as Android and Google Desktop, are not in the scope of the program, though Google has said it may be expanded in the future.

Mozilla has operated a vulnerability reporting initiative for years. In order to qualify for theirs, the security bug must be present in the most recent supported, beta or release candidate versions of Firefox, Thunderbird, Firefox Mobile or in Mozilla services that could compromise users of those products. Valid, critical bugs can earn reporters up to $3,000.

In the case of Barracuda, the company has announced that the following products are in the program’s scope: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda Web Application Firewall and Barracuda NG Firewall. For now, only the appliance form factor of each of the products is fair game, and only the most recent generally available version qualifies.

Remote exploits, privilege escalation, cross-site scripting and other attacks that compromise confidentiality, availability or authentication are acceptable. Once the vulnerability is fixed, the finder can publicise it, the company said. Attacks against Barracuda’s corporate infrastructure, demo servers or customers are prohibited.

Update: This story was updated to reflect Barracuda’s clarification about rules regarding acceptable bugs.