From owner-freebsd-hackers@freebsd.org Mon Apr 26 20:20:44 2021 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 59D115EF85E for ; Mon, 26 Apr 2021 20:20:44 +0000 (UTC) (envelope-from yuripv@ftml.net) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FTbqv42Dqz4Xbf for ; Mon, 26 Apr 2021 20:20:43 +0000 (UTC) (envelope-from yuripv@ftml.net) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 89BDD5C01D9 for ; Mon, 26 Apr 2021 16:20:42 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 26 Apr 2021 16:20:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftml.net; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm3; bh=Q 06kjZXh5UfUkF2/DzjhWo3koA0X+m37LNA9zV+4TrE=; b=U4EbrFOYgxHPV7NWP J1Fa0I3RgtckVVM3Fi8a9lUqagrlNU6uSPFYOCpHsPpEZag1bS6OQuvhn4w6rRFF FPFwa8IAoRhFSh00uf6J3Ex16gGoBpwo/VoQb4DDO+cwYVNch79iiqbx4jwLIdYu fv20eGx8ifrfiQ5uqtuyi3vBeFyJsLXA7XV5QahgYii3AU7z6hzIDsPHP+2rdk8k r/p+ehY5xzhGzF7b4zJm9nkndXcESo0ZqH9s8DzQi7g0SXSkD+sCy5TX+6N3JaWU VOKnWyTW80CCsyjNU7KaziFGhV4RKQjTodNIV0+WUiEewMmG9g6TFcrPTv3q337K BuGUA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Q06kjZXh5UfUkF2/DzjhWo3koA0X+m37LNA9zV+4T rE=; b=iexbc/amfOlf/+k6+MYeFiW1xiNkTwIlpntCpU1Fzo7ucrAnkAoCym4vc jIz7alF5WgXaHUu8ugjtCdpQQb4l542B5xbVUd0XiYKtfkOPj6jXKohc21mtzRvJ XF/E2c8+N2GcHkAro/2pF0P8QQCp93pHyNVPUizAsL9DsE3rrRjuY2WVj5PRzHTU Z2Yw6d/IKJc9vKCHBuf9Cx0eGJ7M7fdzSyioF7IDQ1r77pQ3H+GF+Es/2imbx/p2 qWgZsH93cjXhy+J1x/QUxtghZrRywaYDEQNVdmgAJ9RTTZnc7TtY/ko5T3bhq1kZ B7BGIyg+iqv1q4OeaiZ/SjYP3vKCw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdduledgudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthejredttdefjeenucfhrhhomhepjghurhhi ucfrrghnkhhovhcuoeihuhhrihhpvhesfhhtmhhlrdhnvghtqeenucggtffrrghtthgvrh hnpeeutdekgeegffffudfggeffveeukeduheejieeihefhgefhgfekfefgheegvdfgueen ucffohhmrghinhepfhhrvggvsghsugdrohhrghdpsghouhhnthihshhouhhrtggvrdgtoh hmnecukfhppeeluddrvdegtddruddvgedrvdegheenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpeihuhhrihhpvhesfhhtmhhlrdhnvght X-ME-Proxy: Received: from [192.168.1.12] (unknown [91.240.124.245]) by mail.messagingengine.com (Postfix) with ESMTPA id F0EF11080064 for ; Mon, 26 Apr 2021 16:20:41 -0400 (EDT) Subject: Re: Bug bounty framework? To: FreeBSD Hackers References: <20210425184323.GR18217@blisses.org> <1219846208.215399.1619466917981@privateemail.com> From: Yuri Pankov Message-ID: <6944624e-fd6f-f8a5-6c65-8764b650d911@ftml.net> Date: Mon, 26 Apr 2021 23:20:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FTbqv42Dqz4Xbf X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ftml.net header.s=fm3 header.b=U4EbrFOY; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=iexbc/am; dmarc=pass (policy=none) header.from=ftml.net; spf=pass (mx1.freebsd.org: domain of yuripv@ftml.net designates 66.111.4.26 as permitted sender) smtp.mailfrom=yuripv@ftml.net X-Spamd-Result: default: False [-3.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.26:from]; FREEMAIL_FROM(0.00)[ftml.net]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[ftml.net:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[ftml.net,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[ftml.net]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[ftml.net:s=fm3,messagingengine.com:s=fm2]; FREEFALL_USER(0.00)[yuripv]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[66.111.4.26:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[66.111.4.26:from:127.0.2.255]; MAILMAN_DEST(0.00)[freebsd-hackers] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Technical discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2021 20:20:44 -0000 Li-Wen Hsu wrote: > On Tue, Apr 27, 2021 at 3:55 AM linimon@portsmon.org > linimon@portsmon.org wrote: >> >>> On 04/25/2021 1:43 PM Mason Loring Bliss wrote: >>> I don't remember this idea coming up previously, so I wanted to see what >>> folks think about a framework for bug bounties and similar. >> >> Actually it _has_ been discussed before, but not very recently. >> >> tl;dr: there's demand for it but no one has stepped up to do the work to >> set it up :-) > > I feel it's mixing two different things? IIUC that "bug bounty" > mostly means that an organization (usually a big company) has a prize > to reward the people who report security issues, instead of selling > the 0day to the dark net. :-) I'm not sure as an open source, we > should have that, but I remember that I see some places there are > rewards for reporting kernel security issues, including FreeBSD (and > hope they forward the report to our security team.) > > For the idea the original post described sounds like having a reward > for completing a specified task. It's more like a job posting for > seeking freelancers. But there is one (or more) for open source > projects. Here is an example I remember: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3 > https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd > > I guess leveraging those external services is better than setting up > our own at this point? I think the problem is in "(or more)" -- both sides need to know where exactly to post/look for tasks.