[CentOS] bounties for exploits against CentOS?

Tue Jan 17 09:14:02 UTC 2012
Johnny Hughes <johnny at centos.org>

On 01/16/2012 12:34 PM, Bennett Haselton wrote:
> With companies like Facebook and Google offering cash prizes for people 
> who can find security holes in their products, has there ever been any 
> consideration given to offering cash rewards to people finding security 
> exploits in CentOS or in commonly bundled services like Apache?  
> (Provided of course they follow "responsible disclosure" and report the 
> exploit to the software authors and get it fixed.)
>
> Obviously the benefit would be that it would increase the chance of a 
> white hat finding and fixing an exploit, before a black hat discovered 
> the same one and used it to attack people's servers.  Would there be any 
> other downsides, other than the cost of paying out the prize?
>
> I've heard some objections from companies over the years who didn't want 
> to institute a "prize program", but I thought some of those objections 
> didn't make much sense (and indeed some of those companies ended up 
> instituting a prize program after all, a few years later).  For example, 
> some people said, "This just encourages people to find exploits and then 
> they might use those exploits to do harm."  (The problem with this is if 
> someone has sufficient black-hat incentives for finding an exploit -- 
> either to do malice, or more likely to sell it on the black market -- 
> those incentives *already* exist, so the prize program wouldn't create 
> any additional incentive to use an exploit illegally.)  Would you feel 
> safer using CentOS if a bounty program encouraged people to report 
> exploits to the project?  Why or why not?  I think I would, for the 
> stated reason -- newly discovered exploits are more likely to get 
> reported and fixed, than to be used in the wild.  But I'd be curious why 
> anyone might feel less safe if such a program existed.
>
> On a related question, suppose that instead of paying for generic 
> exploits against the operating system, you as a webmaster had the option 
> of adding your website to a directory of "bounty" sites, where you would 
> have to put up a bond of $100 to join.  Then anyone who could prove that 
> they broke into your server (let's say the "proof" is that they read a 
> world-readable file in the root directory) would collect the $100 prize, 
> if they can describe exactly how they did it and what you need to fix to 
> prevent the attack in the future.  That way, if there's ever a weakness 
> in your server, it's more likely to be found by a white hat and reported 
> to you directly so you can fix it, before a black hat finds the same 
> weakness.  Would you sign up your webserver?  I think I would, and I 
> believe I'd be reducing the risk of a black-hat breakin as a result, but 
> there may be counter-arguments that I'm not thinking of.
>
>

For the record ... Facebook USES CentOS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120117/a5a16140/attachment-0005.sig>