Date: Mon, 26 Apr 2021 23:20:40 +0300 From: Yuri Pankov <yuripv@ftml.net> To: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Bug bounty framework? Message-ID: <6944624e-fd6f-f8a5-6c65-8764b650d911@ftml.net> In-Reply-To: <CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com> References: <20210425184323.GR18217@blisses.org> <1219846208.215399.1619466917981@privateemail.com> <CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Li-Wen Hsu wrote: > On Tue, Apr 27, 2021 at 3:55 AM linimon@portsmon.org > linimon@portsmon.org <linimon@portsmon.org> wrote: >> >>> On 04/25/2021 1:43 PM Mason Loring Bliss <mason@blisses.org> wrote: >>> I don't remember this idea coming up previously, so I wanted to see what >>> folks think about a framework for bug bounties and similar. >> >> Actually it _has_ been discussed before, but not very recently. >> >> tl;dr: there's demand for it but no one has stepped up to do the work to >> set it up :-) > > I feel it's mixing two different things? IIUC that "bug bounty" > mostly means that an organization (usually a big company) has a prize > to reward the people who report security issues, instead of selling > the 0day to the dark net. :-) I'm not sure as an open source, we > should have that, but I remember that I see some places there are > rewards for reporting kernel security issues, including FreeBSD (and > hope they forward the report to our security team.) > > For the idea the original post described sounds like having a reward > for completing a specified task. It's more like a job posting for > seeking freelancers. But there is one (or more) for open source > projects. Here is an example I remember: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3 > https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd > > I guess leveraging those external services is better than setting up > our own at this point? I think the problem is in "(or more)" -- both sides need to know where exactly to post/look for tasks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6944624e-fd6f-f8a5-6c65-8764b650d911>