This month, we asked security pros what they thought about China’s new vulnerability disclosure law, which requires researchers to hand over information on vulnerabilities, including zero-days, to the authorities. Frank Downs, director of proactive services at BlueVoyant, suggested that Chinese researchers were likely to tread much more carefully, while Joseph Carson, chief security scientist at ThycoticCentrify, said it could impact companies doing development work within China.
Other observers have suggested that that the rules could limit legitimate security research and allow the Chinese military and intelligence agencies to “stockpile” vulnerabilities for future use. In bug bounty program news, Yearn Finance, the decentralized finance protocol, has launched a bug bounty program promising payouts of between $20,000 and $200,000 for critical vulnerabilities.
Meanwhile, loyalty management tech firm Antavo has set up a bug bounty program on European crowdsourced security platform Hacktify, offering up to €240 ($283) for qualifying security flaws.
At the other end of the coordinated disclosure process, Microsoft says its own bug bounty program has awarded a whacking $13.6 million to security researchers over the past 12 months. The biggest payout was $200,000, for the discovery of vulnerabilities in the company's Hyper V technolgy, with the average around $10,000. And there was a big reward for newbie security researcher Augusto Zanellato, who netted $50,000 after discovering a GitHub access token that gave access to Shopify repos.
Finally, we spoke to Estonian infosec expert Oliver Sild about his new platform Patchstack. Aimed at securing WordPress plugins and the sites they run on, the platform has been inspired by the bug bounty business model, according to Sild. “What we’ve built is a gamification-based bug hunting platform, where researchers can find vulnerabilities in whatever WordPress plugin they choose,” he says. “Each month we have a prize pool, which has just started paying out.”