Bug bounty framework?
Li-Wen Hsu
lwhsu at freebsd.org
Mon Apr 26 20:12:52 UTC 2021
On Tue, Apr 27, 2021 at 3:55 AM linimon at portsmon.org
linimon at portsmon.org <linimon at portsmon.org> wrote:
>
> > On 04/25/2021 1:43 PM Mason Loring Bliss <mason at blisses.org> wrote:
> > I don't remember this idea coming up previously, so I wanted to see what
> > folks think about a framework for bug bounties and similar.
>
> Actually it _has_ been discussed before, but not very recently.
>
> tl;dr: there's demand for it but no one has stepped up to do the work to
> set it up :-)
I feel it's mixing two different things? IIUC that "bug bounty"
mostly means that an organization (usually a big company) has a prize
to reward the people who report security issues, instead of selling
the 0day to the dark net. :-) I'm not sure as an open source, we
should have that, but I remember that I see some places there are
rewards for reporting kernel security issues, including FreeBSD (and
hope they forward the report to our security team.)
For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
projects. Here is an example I remember:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
I guess leveraging those external services is better than setting up
our own at this point?
Bes,
Li-Wen
More information about the freebsd-hackers
mailing list