Analytics firm New Relic has coupled up with vuln disclosure firm HackerOne as part of a “responsible disclosure program” for bugs. But while it pledges not to take legal action against anyone spotting a hole, it won’t be ponying up cash for them either.
Instead, New Relic is banking on researchers, or just the curious, being happy to boost their cred in the security world.
In a blog posting, New Relic security engineer Alex Hamlin declared: “Our user base is a very large, passionate, and technical group of people. With that many sharp eyes on our products every day, it is possible that bugs will be found from time to time. When these bugs manifest as security issues, we want to encourage users to report them to us via an appropriate channel, without fear of repercussions.”
“The security research community includes many individuals who routinely test for security vulnerabilities,” he continued. “This program will allow us to define a scope within which these researchers can responsibly test our systems, and help us encourage the discovery and remediation of as many vulnerabilities as possible.”
In the security world, it is of course not unusual for bug spotters to enjoy a little recompense for flagging up security vulns – that’s what HackerOne is for, after all. However, this won’t be the case with New Relic’s program.
“At this time, we are not awarding bounties or cash rewards for reported vulnerabilities,” said Hamlin. “However, researchers will earn HackerOne Reputation based on the merit of reported vulnerabilities, which may help qualify them for private bug bounty programs.”
If you’re looking to boost your rep, you can sign up and peruse the policy here. It pledges to follow HackerOne's disclosure guidelines, and includes a long list of “out-of-scope issues it doesn’t want to hear about.”
Unsurprisingly, social engineering and phishing will not qualify for legal relief under the scheme. Neither will “physical attacks against New Relic employees, offices and data centres.” ®