Bug bounty framework?
Yuri Pankov
yuripv at ftml.net
Mon Apr 26 20:20:44 UTC 2021
Li-Wen Hsu wrote:
> On Tue, Apr 27, 2021 at 3:55 AM linimon at portsmon.org
> linimon at portsmon.org <linimon at portsmon.org> wrote:
>>
>>> On 04/25/2021 1:43 PM Mason Loring Bliss <mason at blisses.org> wrote:
>>> I don't remember this idea coming up previously, so I wanted to see what
>>> folks think about a framework for bug bounties and similar.
>>
>> Actually it _has_ been discussed before, but not very recently.
>>
>> tl;dr: there's demand for it but no one has stepped up to do the work to
>> set it up :-)
>
> I feel it's mixing two different things? IIUC that "bug bounty"
> mostly means that an organization (usually a big company) has a prize
> to reward the people who report security issues, instead of selling
> the 0day to the dark net. :-) I'm not sure as an open source, we
> should have that, but I remember that I see some places there are
> rewards for reporting kernel security issues, including FreeBSD (and
> hope they forward the report to our security team.)
>
> For the idea the original post described sounds like having a reward
> for completing a specified task. It's more like a job posting for
> seeking freelancers. But there is one (or more) for open source
> projects. Here is an example I remember:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
> https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
>
> I guess leveraging those external services is better than setting up
> our own at this point?
I think the problem is in "(or more)" -- both sides need to know where
exactly to post/look for tasks.
More information about the freebsd-hackers
mailing list