LAS VEGAS--Bug bounties have been around in various forms for a long time now, and many of the larger and more powerful software companies on the planet pay significant amounts of money to researchers each year who report vulnerabilities directly to them.
With certain conditions, of course. The money is usually only available to researchers who play by the vendors’ rules and typically only for vulnerabilities in certain applications or categories. But some companies have taken a different approach and tried to incentivize researchers to develop new defensive technologies. Microsoft started this trend in 2011 with its Blue Hat Prize, and others have followed suit, most notably Facebook, which this week at Black Hat USA handed out more than $800,000 in grants to 10 researchers as part of its Secure the Internet grant program. The money went to a variety of academic researchers who had submitted proposals to Facebook for a wide range of different defensive techniques.
One of the more interesting proposals is from Nicola Dell at Cornell University, who plans to use the $92,000 grant to wok on methods for helping protect new Internet users in developing countries.
“The goal of my proposed research is to understand and mitigate the privacy challenges faced by novice internet users in the Global South, focusing on Bangladesh as a first customer story … My work addresses these challenges by: 1) collecting empirical data to understand novice internet users’ patterns and privacy concerns; 2) distilling privacy threat models and assessing the relevance, severity, and likelihood of attacks; and 3) using the new threat models to design and deploy novel interventions that improve digital privacy by supporting alternative usage models and increasing awareness of privacy,” Dell said in the proposal.
Facebook announced last year that it would fund up to $1 million in grants for researchers to work on practical methods for increasing user safety and this week’s awards were the first to come from the program. Another of the winning submissions is for a project that aims to improve authentication by using behavioral biometrics. So rather than a username and password and a second factor such as an authenticator app, users would also be authenticated through the way they behave online.
“To supplement existing Facebook authentication and detect imposters after initial log-in, we propose to develop behavior-based authentication, where user profiles consist of identifiers derived from user interactions with desktop and mobile devices (e.g. keystrokes, mouse, swipes). We will extract higher-order activity such as widget interaction, Likes, and Shares from Facebook and combine these with basic identifiers to create stronger authentication, with shorter detect time,” the proposal from a team of researchers at Clarkson University said.
Facebook plans to award another $200,000 in grants next week at the USENIX Security Symposium.