Let's make sure Heartbleed doesn't happen again. (opens in new tab)

(crowdtilt.com)

5 pointsdamncabbage12y ago2 comments

2 comments

2 comments · 1 top-level

damncabbageOP12y ago· 1 in thread

  This Crowdtilt will fund a focussed crowdsourced security assessment (otherwise
  known as a bug bounty) on OpenSSL.
  ...
  Security crowdsourcing company Bugcrowd will organize a “sprint bounty;”
  coordinating and incentivising the security research community to thoroughly
  test OpenSSL for potential security concerns.

I'm a little worried this is just PR move for Bugcrowd, but it might be genuinely useful in producing a bunch of bug reports for holes not discovered yet.

(Having said that, if you're a blackhat the amount you'd get selling or using anything you found would eclipse whatever Bugcrowd would pay you... But that'd happen regardless if this ran or not.)

bugcrowd12y ago

We think it'll be useful.

You're right re the payout amount for blackhats, but it only takes one whitehat to claim a reward for a bug to get killed, and the idea of a sprint is to get a bunch of them focussed on the same target at the same time. We've been running sprints alongside the more traditional ongoing bug bounties since we started, and they're very effective.

Hopefully we will get enough individuals and companies backing this to make the rewards attractive to the right kinds of researchers.

j / k navigate · click thread line to collapse