[CentOS] bounties for exploits against CentOS?

[Bennett Haselton]

On 1/16/2012 3:13 PM, Eero Volotinen wrote:
>> Well I wasn't necessarily advocating it here, just asking whether people
>> would feel more or less secure using CentOS if such a prize program
>> existed (whether run by CentOS or RHEL), and why or why not.
> Well, no.
>
> Usually attacks to system are caused by misconfiguration of server or
> firewall or bugs in web applications *)
>
> *) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Well one of the lessons of the recent threads seems to be that there is 
a lot of disagreement over what constitutes a "misconfigured server".  
Some people consider a server misconfigured if it doesn't use a firewall 
to limit access to sshd, some people consider it misconfigured if sshd 
uses passwords instead of keys, some people consider the server 
misconfigured if it doesn't use SELinux, etc.  Because there are 
mutually contradictory definitions of "misconfigured", if you find out 
that a server was broken into you can always come up with a reason, 
after the fact, why the server should be considered "misconfigured", 
depending on whose definition you use.

But there seems to be some consensus, at least, that exploits do get 
found which allow apache to run arbitrary code (even under its 
unprivileged account), and exploits do get found that elevate an 
unprivileged user to root privileges.  So you could offer, for example, 
a bounty for anyone who finds a way to elevate the privilege of an 
unprivileged account.  That's a lot less powerful than a complete 
exploit that can be used against any server on the Internet, but it's 
the kind of thing an attacker might use as part of a larger exploit.  So 
would you feel safer using CentOS/Red Hat if Red Hat, for example, 
offered a prize to anyone who could find a privilege-escalation exploit 
like that?  Knowing that it would reduce the chance of a black hat 
finding the exploit and using it as part of an attack?

Bennett