The European Parliament has approved budget for VLC bug bounty program (opens in new tab)

(hackerone.com)

168 pointsD3_4dl1N38y ago36 comments

36 comments

Is anyone else concerned at the perverse incentives created by bug bounties on open source software?

Monetizing bugs may end up encouraging the creation of insidious, underhanded bugs explicitly so that bounties can later be claimed by other parties supposedly at arms length.

dvt8y ago

This seems a bit paranoid. It's not like OSS doesn't have code review processes.

barrkel8y ago

It pays to be paranoid. I believe I'd be able to add exploitable bugs that would not be detected in most code reviews; there's a large library of techniques available from underhanded C competitions and similar.

3 more replies

madez8y ago

I'm not concerned. First, with git we can look who introduced the bugs. Second, the worst-case you fear would still imply development of the project, which is good. After all, you can't maliciously introduce a bug without changing anything.

wdr18y ago

http://dilbert.com/strip/1995-11-13

chasil8y ago

It would be nice if they also approved one for Android Stagefright.

All monthly Android security bulletins from this year have critical CVEs in the media system.

https://source.android.com/security/bulletin/

icebraining8y ago

I think Google can afford to pay for that.

heavenlyblue8y ago

Why VLC?

detaro8y ago

Because it's software the EU institutions use.

EDIT: VLC was the third-highest ranked one from a survey on what software to study, with the two already reviewed ones (KeePass and Apache HTTPD) being above it.

ars8y ago

It's because VLC was written in Europe, in Paris specifically.

It's more multinational now, but still primarily a European project.

Realistically they are not going to fund an American project. I know the Internet makes "country" semi-obsolete (at least when describing software), countries themselves still care a lot about that.

3 more replies

matt40778y ago

I'm trying to think of an open source project that is used as widely as VLC, and not backed by Google. Maybe there is, but I can't think of any.

Manozco8y ago

SQLite

ars8y ago

ffmpg/libav - even VLC itself uses it.

sametmax8y ago

Cups

sametmax8y ago

Zlib

indubitable8y ago

apache http server

rakoo8y ago

curl

Numberwang8y ago

Yeah, mpv.io is where it's at.

agumonkey8y ago

so lovely I use it on windows. so lovely

also has lua scripting support https://mpv.io/manual/stable/#lua-scripting

Fnoord8y ago

Why?

thresh8y ago

mpv is dead

3 more replies

gcbw28y ago

what about this rationale:

> The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;

I don't think bug bounty is a substitute for certification. And it benefits the most if is a long-run with accumulating rewards.

making it short term with only one payout will only attract people with automated tools for the initial period. Then code will get "certified" and forgotten. It all seems wrong. Hopefully it is just bad wording on the official PR.

matt40778y ago

> I don't think bug bounty is a substitute for certification.

Neither does the EU: by extending the free software security audit programme (FOSSA)[...]. Meaning: there already is an audit, certification and audit being synonymous for this purpose.

> making it short term

This is a trial run, to be extended later: we are trialing the VLC application on a bug bounty program

> with only one payout

There will be as many payouts as security-relevant bugs are found: Rewards may range from $100 up to $3,000.

> will only attract people with automated tools

This is a private trial, where people with automated tools submitting low-impact bugs will presumably not be invited: We invite hackers and bounty hunters (aka researchers) based on a variety of factors - reputation, previous track record (high quality reports)

> Then code will get "certified" and forgotten.

This is VLC, one of the most-used open source programs. How will code merged into the product be forgotten?

> It all seems wrong.

Indeed...

> Hopefully it is just bad wording on the official PR.

I think the problem is more likely caused by a complete lack of reading skills.

sandworm1018y ago

>> I don't think bug bounty is a substitute for certification.

Nor does certification preclude the need for a BB program. These are very different schemes with very different outcomes.

em3rgent0rdr8y ago

Shouldn't fixing bugs a prerequisite for being certified?

j / k navigate · click thread line to collapse

36 comments

barrkel8y ago

Is anyone else concerned at the perverse incentives created by bug bounties on open source software?

Monetizing bugs may end up encouraging the creation of insidious, underhanded bugs explicitly so that bounties can later be claimed by other parties supposedly at arms length.

dvt8y ago

This seems a bit paranoid. It's not like OSS doesn't have code review processes.

barrkel8y ago

3 more replies

madez8y ago

wdr18y ago

http://dilbert.com/strip/1995-11-13

chasil8y ago

It would be nice if they also approved one for Android Stagefright.

All monthly Android security bulletins from this year have critical CVEs in the media system.

https://source.android.com/security/bulletin/

icebraining8y ago

I think Google can afford to pay for that.

heavenlyblue8y ago

Why VLC?

detaro8y ago

Because it's software the EU institutions use.

EDIT: VLC was the third-highest ranked one from a survey on what software to study, with the two already reviewed ones (KeePass and Apache HTTPD) being above it.

ars8y ago

It's because VLC was written in Europe, in Paris specifically.

It's more multinational now, but still primarily a European project.

Realistically they are not going to fund an American project. I know the Internet makes "country" semi-obsolete (at least when describing software), countries themselves still care a lot about that.

3 more replies

matt40778y ago

I'm trying to think of an open source project that is used as widely as VLC, and not backed by Google. Maybe there is, but I can't think of any.

Manozco8y ago

SQLite

ars8y ago

ffmpg/libav - even VLC itself uses it.

sametmax8y ago

Cups

sametmax8y ago

Zlib

indubitable8y ago

apache http server

rakoo8y ago

curl

Numberwang8y ago

Yeah, mpv.io is where it's at.

agumonkey8y ago

so lovely I use it on windows. so lovely

also has lua scripting support https://mpv.io/manual/stable/#lua-scripting

Fnoord8y ago

Why?

thresh8y ago

mpv is dead

3 more replies

gcbw28y ago

what about this rationale:

> The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;

I don't think bug bounty is a substitute for certification. And it benefits the most if is a long-run with accumulating rewards.

matt40778y ago

> I don't think bug bounty is a substitute for certification.

Neither does the EU: by extending the free software security audit programme (FOSSA)[...]. Meaning: there already is an audit, certification and audit being synonymous for this purpose.

> making it short term

This is a trial run, to be extended later: we are trialing the VLC application on a bug bounty program

> with only one payout

There will be as many payouts as security-relevant bugs are found: Rewards may range from $100 up to $3,000.

> will only attract people with automated tools

> Then code will get "certified" and forgotten.

This is VLC, one of the most-used open source programs. How will code merged into the product be forgotten?

> It all seems wrong.

Indeed...

> Hopefully it is just bad wording on the official PR.

I think the problem is more likely caused by a complete lack of reading skills.

sandworm1018y ago

>> I don't think bug bounty is a substitute for certification.

Nor does certification preclude the need for a BB program. These are very different schemes with very different outcomes.

em3rgent0rdr8y ago

Shouldn't fixing bugs a prerequisite for being certified?

j / k navigate · click thread line to collapse