Cloud and hosting company OVH has given more details about its bug bounty programme which it announced in July. It is offering to pay developers for any bugs that they report to OVH. Rewards start at €50 and run as high as €20,000 pay out. For example Microsoft pay out up to $100,000, Apple $200,000. While this isn’t the largest bounty program, OVH are focused on bugs in their own infrastructure rather than zero-day bugs in products from other vendors.
OVH offering up to €20,000 per bug
Octave Klaba, co-founder and CTO, OVH announced in his keynote that the programme had gone from beta to being publicly accessible. Despite applause from the audience he didn’t go into a lot more detail. This was a surprise as it seemed only a few of those present were aware of the programmes existence.
At the press conference immediately after the keynote, Klaba put more perspective into the programme. This was his idea to start with but OVH faced delays getting it up and running. According to Klaba: “We wanted to do this 2-3 years ago but there were legal issues in France.”
Klaba didn’t elaborate on what those legal issues were. It might be that they were about paying people for what could be seen as hacking into code. France has some strict controls on intellectual property and OVH would have wanted to ensure that anyone reporting bugs could do so safely. Interestingly Klaba went on to say: “We don’t pay the people, we have advice from the partner.”. The implication is that not all payments are from OVH. This suggests that this is more than just issues with OVH code and infrastructure.
We asked Klaba if there were plans to increase the payout. After all €20,000 is well below the Dark Net rate for bugs. Klaba responded: “We will see the revenue higher.” However, he declined to say when and by how much. He did say that there had already been: “a lot of feedback from bounty hunters and more than 50 cases have been fixed and paid.”
Bug bounty programmes are becoming increasingly common across software vendors. As cloud vendors build out their own services, extending bug bounty programmes to their infrastructure makes sense. This will not only improve the underlying code but also harden the infrastructure.
The only issue here is one of risk/reward. The risks are increasing faster than the rewards which means vendors and cloud providers will need to offer ever larger sums to bounty hunters. If not, there are plenty of companies operating inside the Dark Net that will happily bid for the information.
Disclaimer: OVH paid for my fuel and Eurotunnel ticket so I could attend the event