On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo tylerromeo@gmail.com wrote:
Hey everybody,
So today at the iSEC Partners security open forum I heard a talk from Zane Lackey, the former security lead for Etsy, concerning the effectiveness of bug bounties.
He made two points:
- Bug bounties are unlikely to cause harm, especially for Wikipedia, which
I asked him about, because the mere popularity of our service means we are already being scanned, pentested, etc. With a bounty program, there will be incentive for people to report those bugs rather than pastebin them.
- Even without a monetary reward, which I imagine WMF would not be able to
supply, crackers are motivated simply by the "hall of fame", or being able to be recognized for their efforts.
Therefore, I thought it may be beneficial to take that over to Wikipedia and start our own bug bounty program. Most likely, it would be strictly a hall of fame like structure where people would be recognized for submitting bug reports (maybe we could even use the OpenBadges extension *wink* *wink*). It would help by increasing the number of bugs (both security and non-security) that are found and reported to us.
Any thoughts? (Of course, Chris would have to approve of this program before we even consider it.)
I've been thinking of at least putting up a list of top contributors on mediawiki.org for a while, and just hadn't had the time to do it. If anyone wants to compile that list from the list of closed security bugs, I'd be very supportive.
As for a more official program, the downside that I predict we would quickly hit (from talking to a few people who have run these) is the high volume of very low quality reports that have to be investigated and triaged. Which is something that just takes time from a human... so my evil_plans.txt towards this was (I really had almost this exactly in my todo list): * Get more volunteers access to security bugs ** {{done}} get list of top contributors ** Find out from Philippe how to get a bunch of volunteers identified *** Doh, we're probably changing our identification process soon. On hold.
So, I was planning to wait until we have a more streamlined process for getting volunteers access to data that could potentially be covered by our privacy policy, then invite some people who have contributed significantly to MediaWiki's security in the past to get access to those bugs and help triage/assign/fix bugs, then look into starting something official or semi-official. But if a few of you would be willing to deal with our current identification/NDA process and are willing to help out investigate report, I'm happy to start working on it sooner.
-- Tyler Romeo 0xC86B42DF