From owner-freebsd-hackers@freebsd.org Mon Apr 26 20:12:52 2021 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91C855EEC01 for ; Mon, 26 Apr 2021 20:12:52 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FTbfr3hM4z4XCH for ; Mon, 26 Apr 2021 20:12:52 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: lwhsu/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 719B8237EA for ; Mon, 26 Apr 2021 20:12:52 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: by mail-yb1-f178.google.com with SMTP id s9so8139309ybe.5 for ; Mon, 26 Apr 2021 13:12:52 -0700 (PDT) X-Gm-Message-State: AOAM533iyrdn/QERzAsvRSqqwH8USe5PtgY5bkhBAbImX8khD0Xy3+or EU+IT3SX5b1xUlWYfJJ+h/T+P0PGUuTpAAnQfck= X-Google-Smtp-Source: ABdhPJy92P/yVj0YTqETf9x93GrIF8PVJv7LHdGcWzB30OzLiQfkswSRfzCNSkRLp0XXSjCukJdWGHBkg3kjnuGTabY= X-Received: by 2002:a25:3c01:: with SMTP id j1mr28565217yba.176.1619467972111; Mon, 26 Apr 2021 13:12:52 -0700 (PDT) MIME-Version: 1.0 References: <20210425184323.GR18217@blisses.org> <1219846208.215399.1619466917981@privateemail.com> In-Reply-To: <1219846208.215399.1619466917981@privateemail.com> From: Li-Wen Hsu Date: Tue, 27 Apr 2021 04:12:40 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Bug bounty framework? To: "linimon@portsmon.org linimon@portsmon.org" Cc: Mason Loring Bliss , FreeBSD Hackers Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Technical discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2021 20:12:52 -0000 On Tue, Apr 27, 2021 at 3:55 AM linimon@portsmon.org linimon@portsmon.org wrote: > > > On 04/25/2021 1:43 PM Mason Loring Bliss wrote: > > I don't remember this idea coming up previously, so I wanted to see what > > folks think about a framework for bug bounties and similar. > > Actually it _has_ been discussed before, but not very recently. > > tl;dr: there's demand for it but no one has stepped up to do the work to > set it up :-) I feel it's mixing two different things? IIUC that "bug bounty" mostly means that an organization (usually a big company) has a prize to reward the people who report security issues, instead of selling the 0day to the dark net. :-) I'm not sure as an open source, we should have that, but I remember that I see some places there are rewards for reporting kernel security issues, including FreeBSD (and hope they forward the report to our security team.) For the idea the original post described sounds like having a reward for completing a specified task. It's more like a job posting for seeking freelancers. But there is one (or more) for open source projects. Here is an example I remember: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3 https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd I guess leveraging those external services is better than setting up our own at this point? Bes, Li-Wen