[CentOS] bounties for exploits against CentOS?

Bennett Haselton bennett at peacefire.org
Mon Jan 16 18:34:37 UTC 2012


With companies like Facebook and Google offering cash prizes for people 
who can find security holes in their products, has there ever been any 
consideration given to offering cash rewards to people finding security 
exploits in CentOS or in commonly bundled services like Apache?  
(Provided of course they follow "responsible disclosure" and report the 
exploit to the software authors and get it fixed.)

Obviously the benefit would be that it would increase the chance of a 
white hat finding and fixing an exploit, before a black hat discovered 
the same one and used it to attack people's servers.  Would there be any 
other downsides, other than the cost of paying out the prize?

I've heard some objections from companies over the years who didn't want 
to institute a "prize program", but I thought some of those objections 
didn't make much sense (and indeed some of those companies ended up 
instituting a prize program after all, a few years later).  For example, 
some people said, "This just encourages people to find exploits and then 
they might use those exploits to do harm."  (The problem with this is if 
someone has sufficient black-hat incentives for finding an exploit -- 
either to do malice, or more likely to sell it on the black market -- 
those incentives *already* exist, so the prize program wouldn't create 
any additional incentive to use an exploit illegally.)  Would you feel 
safer using CentOS if a bounty program encouraged people to report 
exploits to the project?  Why or why not?  I think I would, for the 
stated reason -- newly discovered exploits are more likely to get 
reported and fixed, than to be used in the wild.  But I'd be curious why 
anyone might feel less safe if such a program existed.

On a related question, suppose that instead of paying for generic 
exploits against the operating system, you as a webmaster had the option 
of adding your website to a directory of "bounty" sites, where you would 
have to put up a bond of $100 to join.  Then anyone who could prove that 
they broke into your server (let's say the "proof" is that they read a 
world-readable file in the root directory) would collect the $100 prize, 
if they can describe exactly how they did it and what you need to fix to 
prevent the attack in the future.  That way, if there's ever a weakness 
in your server, it's more likely to be found by a white hat and reported 
to you directly so you can fix it, before a black hat finds the same 
weakness.  Would you sign up your webserver?  I think I would, and I 
believe I'd be reducing the risk of a black-hat breakin as a result, but 
there may be counter-arguments that I'm not thinking of.

Bennett



More information about the CentOS mailing list