With companies like Facebook and Google offering cash prizes for people who can find security holes in their products, has there ever been any consideration given to offering cash rewards to people finding security exploits in CentOS or in commonly bundled services like Apache? (Provided of course they follow "responsible disclosure" and report the exploit to the software authors and get it fixed.) Obviously the benefit would be that it would increase the chance of a white hat finding and fixing an exploit, before a black hat discovered the same one and used it to attack people's servers. Would there be any other downsides, other than the cost of paying out the prize? I've heard some objections from companies over the years who didn't want to institute a "prize program", but I thought some of those objections didn't make much sense (and indeed some of those companies ended up instituting a prize program after all, a few years later). For example, some people said, "This just encourages people to find exploits and then they might use those exploits to do harm." (The problem with this is if someone has sufficient black-hat incentives for finding an exploit -- either to do malice, or more likely to sell it on the black market -- those incentives *already* exist, so the prize program wouldn't create any additional incentive to use an exploit illegally.) Would you feel safer using CentOS if a bounty program encouraged people to report exploits to the project? Why or why not? I think I would, for the stated reason -- newly discovered exploits are more likely to get reported and fixed, than to be used in the wild. But I'd be curious why anyone might feel less safe if such a program existed. On a related question, suppose that instead of paying for generic exploits against the operating system, you as a webmaster had the option of adding your website to a directory of "bounty" sites, where you would have to put up a bond of $100 to join. Then anyone who could prove that they broke into your server (let's say the "proof" is that they read a world-readable file in the root directory) would collect the $100 prize, if they can describe exactly how they did it and what you need to fix to prevent the attack in the future. That way, if there's ever a weakness in your server, it's more likely to be found by a white hat and reported to you directly so you can fix it, before a black hat finds the same weakness. Would you sign up your webserver? I think I would, and I believe I'd be reducing the risk of a black-hat breakin as a result, but there may be counter-arguments that I'm not thinking of. Bennett
On 01/16/12 10:34 AM, Bennett Haselton wrote:> With companies like Facebook and Google offering cash prizes for people > who can find security holes in their products, has there ever been any > consideration given to offering cash rewards to people finding security > exploits in CentOS or in commonly bundled services like Apache?companies like facebook and google have significant(!!) cash flow. centos is a volunteer project. from where would this prize money come? you'd do better addressing this question to Redhat Enterprise Linux, anyways, since CentOS's goal is to be a near exact copy, bugs and warts included. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
On 01/16/2012 12:34 PM, Bennett Haselton wrote:> With companies like Facebook and Google offering cash prizes for people > who can find security holes in their products, has there ever been any > consideration given to offering cash rewards to people finding security > exploits in CentOS or in commonly bundled services like Apache? > (Provided of course they follow "responsible disclosure" and report the > exploit to the software authors and get it fixed.) > > Obviously the benefit would be that it would increase the chance of a > white hat finding and fixing an exploit, before a black hat discovered > the same one and used it to attack people's servers. Would there be any > other downsides, other than the cost of paying out the prize? > > I've heard some objections from companies over the years who didn't want > to institute a "prize program", but I thought some of those objections > didn't make much sense (and indeed some of those companies ended up > instituting a prize program after all, a few years later). For example, > some people said, "This just encourages people to find exploits and then > they might use those exploits to do harm." (The problem with this is if > someone has sufficient black-hat incentives for finding an exploit -- > either to do malice, or more likely to sell it on the black market -- > those incentives *already* exist, so the prize program wouldn't create > any additional incentive to use an exploit illegally.) Would you feel > safer using CentOS if a bounty program encouraged people to report > exploits to the project? Why or why not? I think I would, for the > stated reason -- newly discovered exploits are more likely to get > reported and fixed, than to be used in the wild. But I'd be curious why > anyone might feel less safe if such a program existed. > > On a related question, suppose that instead of paying for generic > exploits against the operating system, you as a webmaster had the option > of adding your website to a directory of "bounty" sites, where you would > have to put up a bond of $100 to join. Then anyone who could prove that > they broke into your server (let's say the "proof" is that they read a > world-readable file in the root directory) would collect the $100 prize, > if they can describe exactly how they did it and what you need to fix to > prevent the attack in the future. That way, if there's ever a weakness > in your server, it's more likely to be found by a white hat and reported > to you directly so you can fix it, before a black hat finds the same > weakness. Would you sign up your webserver? I think I would, and I > believe I'd be reducing the risk of a black-hat breakin as a result, but > there may be counter-arguments that I'm not thinking of. > >For the record ... Facebook USES CentOS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120117/a5a16140/attachment-0005.sig>
Apparently Analagous Threads
- what percent of time are there unpatched exploits against default config?
- Win up to $2000 for Asterisk Enterprise References!
- Win up to $2000 for Asterisk Enterprise References!
- Can't match DSCP CS6 and CS7
- ASA John M. Chambers Statistical Software Award - 2011