"Fique milionário sem sair de casa. Não requer experiência"
October 13, 2016
Cloud and hosting company OVH has given more details about its bug bounty programme which it announced in July. It is offering to pay developers for any bugs that they report to OVH. Rewards start at €50 and run as high as €20,000 pay out. For example Microsoft pay out up to $100,000, Apple $200,000. While this isn’t the largest bounty program, OVH are focused on bugs in their own infrastructure rather than zero-day bugs in products from other vendors.
Octave Klaba, co-founder and CTO, OVH announced in his keynote that the programme had gone from beta to being publicly accessible. Despite applause from the audience he didn’t go into a lot more detail. This was a surprise as it seemed only a few of those present were aware of the programmes existence.
At the press conference immediately after the keynote, Klaba put more perspective into the programme. This was his idea to start with but OVH faced delays getting it up and running. According to Klaba: “We wanted to do this 2-3 years ago but there were legal issues in France.”
Klaba didn’t elaborate on what those legal issues were. It might be that they were about paying people for what could be seen as hacking into code. France has some strict controls on intellectual property and OVH would have wanted to ensure that anyone reporting bugs could do so safely. Interestingly Klaba went on to say: “We don’t pay the people, we have advice from the partner.”. The implication is that not all payments are from OVH. This suggests that this is more than just issues with OVH code and infrastructure.
We asked Klaba if there were plans to increase the payout. After all €20,000 is well below the Dark Net rate for bugs. Klaba responded: “We will see the revenue higher.” However, he declined to say when and by how much. He did say that there had already been: “a lot of feedback from bounty hunters and more than 50 cases have been fixed and paid.”