[CentOS] bounties for exploits against CentOS?
Johnny Hughes
johnny at centos.org
Tue Jan 17 09:14:02 UTC 2012
On 01/16/2012 12:34 PM, Bennett Haselton wrote:
> With companies like Facebook and Google offering cash prizes for people
> who can find security holes in their products, has there ever been any
> consideration given to offering cash rewards to people finding security
> exploits in CentOS or in commonly bundled services like Apache?
> (Provided of course they follow "responsible disclosure" and report the
> exploit to the software authors and get it fixed.)
>
> Obviously the benefit would be that it would increase the chance of a
> white hat finding and fixing an exploit, before a black hat discovered
> the same one and used it to attack people's servers. Would there be any
> other downsides, other than the cost of paying out the prize?
>
> I've heard some objections from companies over the years who didn't want
> to institute a "prize program", but I thought some of those objections
> didn't make much sense (and indeed some of those companies ended up
> instituting a prize program after all, a few years later). For example,
> some people said, "This just encourages people to find exploits and then
> they might use those exploits to do harm." (The problem with this is if
> someone has sufficient black-hat incentives for finding an exploit --
> either to do malice, or more likely to sell it on the black market --
> those incentives *already* exist, so the prize program wouldn't create
> any additional incentive to use an exploit illegally.) Would you feel
> safer using CentOS if a bounty program encouraged people to report
> exploits to the project? Why or why not? I think I would, for the
> stated reason -- newly discovered exploits are more likely to get
> reported and fixed, than to be used in the wild. But I'd be curious why
> anyone might feel less safe if such a program existed.
>
> On a related question, suppose that instead of paying for generic
> exploits against the operating system, you as a webmaster had the option
> of adding your website to a directory of "bounty" sites, where you would
> have to put up a bond of $100 to join. Then anyone who could prove that
> they broke into your server (let's say the "proof" is that they read a
> world-readable file in the root directory) would collect the $100 prize,
> if they can describe exactly how they did it and what you need to fix to
> prevent the attack in the future. That way, if there's ever a weakness
> in your server, it's more likely to be found by a white hat and reported
> to you directly so you can fix it, before a black hat finds the same
> weakness. Would you sign up your webserver? I think I would, and I
> believe I'd be reducing the risk of a black-hat breakin as a result, but
> there may be counter-arguments that I'm not thinking of.
>
>
For the record ... Facebook USES CentOS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120117/a5a16140/attachment.sig>
More information about the CentOS
mailing list