by kderbe on 6/10/19, 8:00 AM with 69 comments
by Aissen on 6/10/19, 10:07 AM
https://www.sstic.org/2019/presentation/keynote_2019/
They did pay for the bugs, but with "large extra-bonuses for fixes". Maybe this will pave the road to a different approach.
by vesinisa on 6/10/19, 11:39 AM
Is this really valid? I remember reading numerous Google Project Zero blog posts that begin with finding an issue that should not be exploitable thanks to ASLR, and then the research would promptly proceed to defeating ASLR - usually by chaining to some unrelated and much less serious side channel exploit.
by delroth on 6/10/19, 11:40 AM
>> What about you give money to VLC instead of random hackers?
> Well, security is important, so this is cool for our users, but still this is a mixed bag, for me.
I've asked that question to Julia Reda a few months ago, and I think the answer was pretty interesting. It boils down to the absence of companies that provide this service ("security bugfix bounties") and are also willing to deal with basically being an EU contractor. So instead the EU-FOSSA bounties went to HackerOne, which is not perfect but is a step in the right direction that could be implemented immediately.
Also note that Google does provide bounties for security patches and hardening (https://www.google.com/about/appsecurity/patch-rewards/ -- VLC or ffmpeg are not in there, but many base libraries are) and for integrating FOSS projects into their fuzzing frameworks (https://www.google.com/about/appsecurity/patch-rewards/autof...). I don't know of any other company providing this kind of bounties for FOSS devs.
by kderbe on 6/10/19, 8:26 AM
by forgotmypwd123 on 6/10/19, 10:59 AM
>hi
>I downloaded thé new version and I have a problème withe subtitle please can you help me
How do these people manage to find these unrelated blog posts and decide to request tech support there?
by wyldfire on 6/10/19, 2:33 PM
> from the usual security-asshole to some of the nicest guys ever
It's not clear whether the asshole in question is being dogmatic about some ninety-day disclosure-to-publication deadline or whether they're maybe being rude about the project having security bugs. I have read lots of stories (mostly ones shown here on HN) about knee-jerk overreactions from CIO/CTOs from not-too-large or not-too-technical businesses w/vulnerabilities. Those kind of blame-the-messenger things likely shape their behavior with respect to disclosures.
> The result of that, is that when you don't know how much to award for a security issue (is it medium or low?), you decide on the niceness of the reporter :)
Gee, this sounds like it's not considering the impact to the user. Isn't that the intent of impact ratings? I suppose the risk of misclassification here is wasting the budget of the bounty on low-harm issues or dissuading researchers from digging deeper to find the high-impact ones.
by viach on 6/10/19, 11:43 AM
This pretty much illustrates the attitude of most of the bug bounties programs holders.
by rurban on 6/11/19, 6:24 AM
eg glibc got a payout of 45.000 which means 4 exceptional risk bugs and 1 critical. https://www.intigriti.com/public/project/glibc/glibc
I find that quite disturbing.
by dontbenebby on 6/10/19, 3:27 PM
Reproducible builds + a signed list of hashes would be a nice move for security.
by vanderZwan on 6/10/19, 11:47 AM