The Internet Bug Bounty covers approximately a dozen open source projects that are critical to the functioning of the Internet, including PHP, perl, Python, Ruby, OpenSSH and others. Such projects typically don’t have the resources to run their own bug bounty programs, Rice said.
Security researchers participating in bug bounty programs are given a “bounty” or financial award for responsibly disclosing security vulnerabilities. Bug bounty programs are an increasingly popular tool employed by Google and other companies.
“The vulnerabilities go directly to the project maintainers and are fixed directly by them,” Rice said. “Facebook and the other Internet Bug Bounty panelists then award the researchers.”