Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Apr 2021 04:12:40 +0800
From:      Li-Wen Hsu <lwhsu@freebsd.org>
To:        "linimon@portsmon.org linimon@portsmon.org" <linimon@portsmon.org>
Cc:        Mason Loring Bliss <mason@blisses.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Bug bounty framework?
Message-ID:  <CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com>
In-Reply-To: <1219846208.215399.1619466917981@privateemail.com>
References:  <20210425184323.GR18217@blisses.org> <1219846208.215399.1619466917981@privateemail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 27, 2021 at 3:55 AM linimon@portsmon.org
linimon@portsmon.org <linimon@portsmon.org> wrote:
>
> > On 04/25/2021 1:43 PM Mason Loring Bliss <mason@blisses.org> wrote:
> > I don't remember this idea coming up previously, so I wanted to see what
> > folks think about a framework for bug bounties and similar.
>
> Actually it _has_ been discussed before, but not very recently.
>
> tl;dr: there's demand for it but no one has stepped up to do the work to
> set it up :-)

I feel it's mixing two different things?  IIUC that "bug bounty"
mostly means that an organization (usually a big company) has a prize
to reward the people who report security issues, instead of selling
the 0day to the dark net. :-) I'm not sure as an open source, we
should have that, but I remember that I see some places there are
rewards for reporting kernel security issues, including FreeBSD (and
hope they forward the report to our security team.)

For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
projects. Here is an example I remember:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd

I guess leveraging those external services is better than setting up
our own at this point?

Bes,
Li-Wen



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ>