Wouldn't it have been better to crowdfund a full audit for OpenSSL, like TrueCrypt, instead of just offering a bug bounty?
OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash
An effort to raise $250,000 for an OpenSSL bug-bounty program is underway – and its organisers hope it will help ensure the Heartbleed omnishambles is never repeated. The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who …
-
-
Wednesday 16th April 2014 17:31 GMT Roland6
Open Source Funding...
What seems to have been missed in all this is how open source projects are and should be funded.
According to this BBC article "Heartbleed fallout may 'slow' browsing speeds" (http://www.bbc.co.uk/news/technology-27035072 ) "Annual donations [to the OpenSSL Software Foundation] typically amounted to about $2,000 (£1,195)"
So I would agree we need to find a better way of funding the original development and on-going maintenance of open source projects than we have at the present. Funding a 'jackpot' for bug finders without rewarding original development contributions is sending the wrong message, namely the ability to develop good bug free code is of lower value than the ability to break such code.
-
This post has been deleted by its author
-
Wednesday 16th April 2014 21:04 GMT Destroy All Monsters
Re: Open Source Funding...
There is a better way to fund software development. It's where developers work for real money, and sell their products.
That's beside the point. That business model exists and it delivers shite, too, though it may manage to created more polished products.
One could also have megacorpses like Larry's dump a few kilobucks on the provider of the SSL functionality of what turns out to be a fat part of his product lineup, judging by the patch hurl released yesterday,
-
Thursday 17th April 2014 04:46 GMT MacroRodent
Re: Open Source Funding...
I don't think it's actually possible to put any lower value than 'free' on the contributions most people make to open source projects.
Actually, these days the most important open-source projects have paid developers working on them, paid either by corporations that use the code, or by some non-profit. OpenSSL seems to be an exception for high-profile project. This needs to change.
-
Thursday 17th April 2014 11:28 GMT DanDanDan
Re: Open Source Funding...
From what I hear, OpenSSL has a small (half a dozen) group of core developers who reject any and all outside contributions in terms of bug fixes, etc.
They also have a TERRIBLY HORRIBLE code base (think #if 0 everywhere), barely any evidence anything has been refactored and barely readable code, with feck all comments in it.
Frankly, it needs to be forked and the forked version needs funding from the megacorps who profit from the code. They can all benefit from open source by sharing the development cost and shared benefit.
-
-
-
-
-
Wednesday 16th April 2014 16:49 GMT Anonymous Coward
> 100 per cent of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation
What is the time frame before the OpenSSL Software Foundation starts to dip their greedy little mitts into the honey pot?
They should have some of the 800 pound gorillas (G,A,M,O) take over the care taking of the code while keeping it open source. I have more faith in a room full of paid security researchers than a handful of volunteers who look at the code when they have time.
-
Wednesday 16th April 2014 18:49 GMT Martin Summers
Why should you get to use it or have benefit from it with an attitude like that? No bugger else bothered developing it and the small team who did bother get no reward. None of this is really their fault. It's the fault of the millions of people who use it without giving a toss about where it came from so long as it was free.
-
-
Wednesday 16th April 2014 21:18 GMT smiths121
Well I gave them a bit
Hi All,
Just did my $20 pledge (its US after all). It is suprising just how much of out internal and external infeastrucuture and products we sell are affected by this. It would be nice to see some of the larger organisations that use it back this, rather than take weeks to fix their app/firmware etc - openwrt had a patch by Thursday/Friday, home come it takes the big orgs s o long?
As the advert implies -> 5 beers = $20, nice, calm, planned work time - priceless.
Simon
-
Wednesday 16th April 2014 21:57 GMT Anonymous Coward
What I want to know ..
.. is why Google took more than a week to brief the OpenSSL dev team of the vulnerability instead of doing it at the same time as starting work on a fix, or maybe a day later so that they had some detection of basic fix in place in case this news would leak. Isn't that the usual process: brief the originator ASAP so they get a chance to start working on it?
Google does not strike me as the best place to keep such a secret secret anyway.
The choice of date must not have helped either, because you'd think that something of that magnitude must be a joke at first.
NOT impressed, and it's a question that really must be answered - what was Google doing with the knowledge of that vulnerability in the days between the 22nd and the 1st?
-
-
Thursday 17th April 2014 09:53 GMT Evan Essence
Re: Too good to be true...
Ouch indeed, if true, but the Campaign Description says (also quoted in the article):
100% of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation. Bugcrowd will administer the bounty at it's [sic] own expense.
-
Thursday 17th April 2014 11:43 GMT foo_bar_baz
Disclosure
Quote:
"The OpenSSL development team was alerted by Google on 1 April, and separately a Finnish infosec biz discovered the same bug, but would not say if they tipped anyone off about the coding error."
This article says they alerted the local CERT, who in turn notified OpenSSL a few days after Mehta. There's even a timeline about how the news broke.