Feeds

back to article OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash

An effort to raise $250,000 for an OpenSSL bug-bounty program is underway – and its organisers hope it will help ensure the Heartbleed omnishambles is never repeated. The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who …

COMMENTS

This topic is closed for new posts.
Silver badge

Wouldn't it have been better to crowdfund a full audit for OpenSSL, like TrueCrypt, instead of just offering a bug bounty?

3
0
Bronze badge

Open Source Funding...

What seems to have been missed in all this is how open source projects are and should be funded.

According to this BBC article "Heartbleed fallout may 'slow' browsing speeds" (http://www.bbc.co.uk/news/technology-27035072 ) "Annual donations [to the OpenSSL Software Foundation] typically amounted to about $2,000 (£1,195)"

So I would agree we need to find a better way of funding the original development and on-going maintenance of open source projects than we have at the present. Funding a 'jackpot' for bug finders without rewarding original development contributions is sending the wrong message, namely the ability to develop good bug free code is of lower value than the ability to break such code.

3
0
Def
Bronze badge

Re: Open Source Funding...

So I would agree we need to find a better way of funding the original development and on-going maintenance of open source projects than we have at the present.

There is a better way to fund software development. It's where developers work for real money, and sell their products.

Funding a 'jackpot' for bug finders without rewarding original development contributions is sending the wrong message, namely the ability to develop good bug free code is of lower value than the ability to break such code.

I don't think it's actually possible to put any lower value than 'free' on the contributions most people make to open source projects.

2
6
Silver badge
Headmaster

Re: Open Source Funding...

There is a better way to fund software development. It's where developers work for real money, and sell their products.

That's beside the point. That business model exists and it delivers shite, too, though it may manage to created more polished products.

One could also have megacorpses like Larry's dump a few kilobucks on the provider of the SSL functionality of what turns out to be a fat part of his product lineup, judging by the patch hurl released yesterday,

3
0
Bronze badge

Re: Open Source Funding...

I don't think it's actually possible to put any lower value than 'free' on the contributions most people make to open source projects.

Actually, these days the most important open-source projects have paid developers working on them, paid either by corporations that use the code, or by some non-profit. OpenSSL seems to be an exception for high-profile project. This needs to change.

3
0

Re: Open Source Funding...

From what I hear, OpenSSL has a small (half a dozen) group of core developers who reject any and all outside contributions in terms of bug fixes, etc.

They also have a TERRIBLY HORRIBLE code base (think #if 0 everywhere), barely any evidence anything has been refactored and barely readable code, with feck all comments in it.

Frankly, it needs to be forked and the forked version needs funding from the megacorps who profit from the code. They can all benefit from open source by sharing the development cost and shared benefit.

3
0
Bronze badge

Re: Open Source Funding...

What is to prevent your forked OpensSSL from devolving into the sort of mess the OpenSSL project is in?

0
0

Re: Open Source Funding...

The same thing that prevented forked OpenOffice (LibreOffice) from devolving... better project management by a better team, with more outside involvement and input. It wouldn't be easy to do (which is why it's not been done yet I suspect).

0
1
Bronze badge
WTF?

"WHAT HAPPENS WHEN A MEGA-FAIL IS DISCOVERED ?"

It would seem that its everyone for themselves!

0
0
Silver badge

Re: "WHAT HAPPENS WHEN A MEGA-FAIL IS DISCOVERED ?"

ANNOUNCE ON APRIL 1ST FOR THE LULZ!

1
0
Anonymous Coward

> 100 per cent of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation

What is the time frame before the OpenSSL Software Foundation starts to dip their greedy little mitts into the honey pot?

They should have some of the 800 pound gorillas (G,A,M,O) take over the care taking of the code while keeping it open source. I have more faith in a room full of paid security researchers than a handful of volunteers who look at the code when they have time.

1
7

Why should you get to use it or have benefit from it with an attitude like that? No bugger else bothered developing it and the small team who did bother get no reward. None of this is really their fault. It's the fault of the millions of people who use it without giving a toss about where it came from so long as it was free.

1
0
Silver badge
Trollface

ensure the Heartbleed omnishambles is never repeated

When we come back: RESEARCHERS CONFIRM THAT THE HALTING PROBLEM HAS BEEN SOLVED BY A TURING MACHINE!

After this message...

1
0

Well I gave them a bit

Hi All,

Just did my $20 pledge (its US after all). It is suprising just how much of out internal and external infeastrucuture and products we sell are affected by this. It would be nice to see some of the larger organisations that use it back this, rather than take weeks to fix their app/firmware etc - openwrt had a patch by Thursday/Friday, home come it takes the big orgs s o long?

As the advert implies -> 5 beers = $20, nice, calm, planned work time - priceless.

Simon

2
0
Bronze badge

Re: Well I gave them a bit

Or you could have donated directly to the OpenSSL project, not some 3rd party via a crowdfunding website.

1
0
Anonymous Coward

What I want to know ..

.. is why Google took more than a week to brief the OpenSSL dev team of the vulnerability instead of doing it at the same time as starting work on a fix, or maybe a day later so that they had some detection of basic fix in place in case this news would leak. Isn't that the usual process: brief the originator ASAP so they get a chance to start working on it?

Google does not strike me as the best place to keep such a secret secret anyway.

The choice of date must not have helped either, because you'd think that something of that magnitude must be a joke at first.

NOT impressed, and it's a question that really must be answered - what was Google doing with the knowledge of that vulnerability in the days between the 22nd and the 1st?

1
0
Silver badge

Re: What I want to know ..

Do transcendental meditation in a GoogleBox cozily embedded in the GoogleSpace, with colored balls in attendance.

0
0

Too good to be true...

According to their website, they take 20% of your bounty. Ouch.

1
0
Silver badge

Re: Too good to be true...

This IS the age of Quantitative Self-Easing, after all.

1
0
Bronze badge

Re: Too good to be true...

Ouch indeed, if true, but the Campaign Description says (also quoted in the article):

100% of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation. Bugcrowd will administer the bounty at it's [sic] own expense.

0
0

Disclosure

Quote:

"The OpenSSL development team was alerted by Google on 1 April, and separately a Finnish infosec biz discovered the same bug, but would not say if they tipped anyone off about the coding error."

This article says they alerted the local CERT, who in turn notified OpenSSL a few days after Mehta. There's even a timeline about how the news broke.

1
0
Bronze badge
WTF?

Re: Disclosure

So how the hell does one "independently" discover a bug that stayed undiscovered for two years within days of other people discovering it?!? I sense someone with an exceedingly poor grasp of what causation means...

1
0

Re: Disclosure

That coincidence has my bat-sense tingling as well. I'm not sure what you're implying with your last sentence, though.

1
0
Silver badge
Trollface

damn you El Reg

El Reg putting basically a thumbnail of a girl filling out a sweater which causes a click and the inevitable disappointment.

0
0
Anonymous Coward

Cash is helpful

But the amount of cash matters. To be effective, it probably has to be substantially bigger than the amount of cash the NSA can pay to find bugs in openSSL. That might be quite a big number.

0
0
This topic is closed for new posts.