by Paul Judge, Daniel Peck and the Barracuda Labs team
Six years ago, Mozilla launched a security bug bounty program. Last week, Google announced a bug bounty program for its Web properties. We salute the efforts of these end user facing applications and services to prioritize the security and privacy of their users. At Barracuda Networks, as a creator of technologies and products that help businesses protect their resources and users, we similarly focus on always improving the security of our products. Before today, we do not know of any security product vendors that have offered a security bug bounty for its products. Security product vendors should be at the forefront of promoting community security research. Today, we announced a security bug bounty program for Barracuda Networks’ security products. We look forward to working with both our existing relationships and new security researchers to help make our products even better. Below we describe our program in a Q&A fashion*.
Q) What products are in scope?
A) The following security products by Barracuda Networks:
- Barracuda Spam & Virus Firewall
- Barracuda Web Filter
- Barracuda Web Application Firewall
- Barracuda NG Firewall
Other Barracuda Networks products are not currently in scope. The scope for now is limited to the Appliance form factor of each product listed above, and not any related service or SaaS version. Only the most recent generally available version of each product qualifies.
Q) What classes of bug are in scope?
A) The following bugs and attack types are excluded:
Use of automated testing tools; social engineering; denial of service; physical attacks; attacks against Barracuda Networks’ customers; attacks against Barracuda Networks’ corporate infrastructure or demo servers.
Bug types that are in scope include those that compromise confidentiality, availability, integrity or authentication. For example: remote exploits, privilege escalation, persistent cross site scripting, code execution, command injection.
Q) How do I report vulnerability?
Q) What is the bounty?
A) The bounty starts at $500 for qualifying bugs. The panel may reward up to $3,133.7 for particularly severe bugs. You may opt to donate your bounty to a charity. Additionally, we will credit your work as a bug/vulnerability reporter if you desire. Only the first report of a bug qualifies. (Why $3,133.7? The number pays homage to “eleet”. This is used by some in the security community as slang for elite and is sometimes referred to as 31337.)
Q) What is the disclosure requirement?
A) To qualify for the bug bounty, the bug must be disclosed to only Barracuda Networks. Once the issue is fixed, you will be able to publicly disclose the issue.
Q) And now a message from our legal team…
A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
Thank you for your interest in the Barracuda Security Bug Bounty Program and for helping Barracuda Networks to make our products more secure.
*similar to the style of the Google and Chromium announcements