On 01/16/2012 12:34 PM, Bennett Haselton wrote: > With companies like Facebook and Google offering cash prizes for people > who can find security holes in their products, has there ever been any > consideration given to offering cash rewards to people finding security > exploits in CentOS or in commonly bundled services like Apache? > (Provided of course they follow "responsible disclosure" and report the > exploit to the software authors and get it fixed.) > > Obviously the benefit would be that it would increase the chance of a > white hat finding and fixing an exploit, before a black hat discovered > the same one and used it to attack people's servers. Would there be any > other downsides, other than the cost of paying out the prize? > > I've heard some objections from companies over the years who didn't want > to institute a "prize program", but I thought some of those objections > didn't make much sense (and indeed some of those companies ended up > instituting a prize program after all, a few years later). For example, > some people said, "This just encourages people to find exploits and then > they might use those exploits to do harm." (The problem with this is if > someone has sufficient black-hat incentives for finding an exploit -- > either to do malice, or more likely to sell it on the black market -- > those incentives *already* exist, so the prize program wouldn't create > any additional incentive to use an exploit illegally.) Would you feel > safer using CentOS if a bounty program encouraged people to report > exploits to the project? Why or why not? I think I would, for the > stated reason -- newly discovered exploits are more likely to get > reported and fixed, than to be used in the wild. But I'd be curious why > anyone might feel less safe if such a program existed. > > On a related question, suppose that instead of paying for generic > exploits against the operating system, you as a webmaster had the option > of adding your website to a directory of "bounty" sites, where you would > have to put up a bond of $100 to join. Then anyone who could prove that > they broke into your server (let's say the "proof" is that they read a > world-readable file in the root directory) would collect the $100 prize, > if they can describe exactly how they did it and what you need to fix to > prevent the attack in the future. That way, if there's ever a weakness > in your server, it's more likely to be found by a white hat and reported > to you directly so you can fix it, before a black hat finds the same > weakness. Would you sign up your webserver? I think I would, and I > believe I'd be reducing the risk of a black-hat breakin as a result, but > there may be counter-arguments that I'm not thinking of. > > For the record ... Facebook USES CentOS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120117/a5a16140/attachment-0005.sig>