Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Apr 2021 23:20:40 +0300
From:      Yuri Pankov <yuripv@ftml.net>
To:        FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Bug bounty framework?
Message-ID:  <6944624e-fd6f-f8a5-6c65-8764b650d911@ftml.net>
In-Reply-To: <CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com>
References:  <20210425184323.GR18217@blisses.org> <1219846208.215399.1619466917981@privateemail.com> <CAKBkRUx%2BaT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Li-Wen Hsu wrote:
> On Tue, Apr 27, 2021 at 3:55 AM linimon@portsmon.org
> linimon@portsmon.org <linimon@portsmon.org> wrote:
>>
>>> On 04/25/2021 1:43 PM Mason Loring Bliss <mason@blisses.org> wrote:
>>> I don't remember this idea coming up previously, so I wanted to see what
>>> folks think about a framework for bug bounties and similar.
>>
>> Actually it _has_ been discussed before, but not very recently.
>>
>> tl;dr: there's demand for it but no one has stepped up to do the work to
>> set it up :-)
> 
> I feel it's mixing two different things?  IIUC that "bug bounty"
> mostly means that an organization (usually a big company) has a prize
> to reward the people who report security issues, instead of selling
> the 0day to the dark net. :-) I'm not sure as an open source, we
> should have that, but I remember that I see some places there are
> rewards for reporting kernel security issues, including FreeBSD (and
> hope they forward the report to our security team.)
> 
> For the idea the original post described sounds like having a reward
> for completing a specified task. It's more like a job posting for
> seeking freelancers. But there is one (or more) for open source
> projects. Here is an example I remember:
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
> https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
> 
> I guess leveraging those external services is better than setting up
> our own at this point?

I think the problem is in "(or more)" -- both sides need to know where
exactly to post/look for tasks.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6944624e-fd6f-f8a5-6c65-8764b650d911>