On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
Hey everybody,
So today at the iSEC Partners security open forum I heard a talk from Zane
Lackey,
the former security lead for Etsy, concerning the effectiveness of bug
bounties.
He made two points:
1) Bug bounties are unlikely to cause harm, especially for Wikipedia, which
I asked
him about, because the mere popularity of our service means we are already
being
scanned, pentested, etc. With a bounty program, there will be incentive for
people to
report those bugs rather than pastebin them.
2) Even without a monetary reward, which I imagine WMF would not be able to
supply,
crackers are motivated simply by the "hall of fame", or being able to be
recognized for
their efforts.
Therefore, I thought it may be beneficial to take that over to Wikipedia and
start our own
bug bounty program. Most likely, it would be strictly a hall of fame like
structure where
people would be recognized for submitting bug reports (maybe we could even
use the
OpenBadges extension *wink* *wink*). It would help by increasing the number
of bugs
(both security and non-security) that are found and reported to us.
Any thoughts? (Of course, Chris would have to approve of this program before
we even
consider it.)
I've been thinking of at least putting up a list of top contributors
on
mediawiki.org for a while, and just hadn't had the time to do it.
If anyone wants to compile that list from the list of closed security
bugs, I'd be very supportive.
As for a more official program, the downside that I predict we would
quickly hit (from talking to a few people who have run these) is the
high volume of very low quality reports that have to be investigated
and triaged. Which is something that just takes time from a human...
so my evil_plans.txt towards this was (I really had almost this
exactly in my todo list):
* Get more volunteers access to security bugs
** {{done}} get list of top contributors
** Find out from Philippe how to get a bunch of volunteers identified
*** Doh, we're probably changing our identification process soon. On hold.
So, I was planning to wait until we have a more streamlined process
for getting volunteers access to data that could potentially be
covered by our privacy policy, then invite some people who have
contributed significantly to MediaWiki's security in the past to get
access to those bugs and help triage/assign/fix bugs, then look into
starting something official or semi-official. But if a few of you
would be willing to deal with our current identification/NDA process
and are willing to help out investigate report, I'm happy to start
working on it sooner.
--
Tyler Romeo
0xC86B42DF