On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
Therefore, I thought it may be beneficial to take that over to Wikipedia
and start our own
bug bounty program. Most likely, it would be strictly a hall of fame like
structure where
people would be recognized for submitting bug reports (maybe we could even
use the
OpenBadges extension *wink* *wink*). It would help by increasing the
number of bugs
(both security and non-security) that are found and reported to us.
Any thoughts?
Some time ago I ran a number of public exercises testing various aspects of
Wikipedia. I ran into a number of issues:
1) It takes a lot of preparation and time spent to do well.
2) Essentially 100% of bugs reported by naive reporters are DUPLICATE,
WONTFIX, or are in the backlog of some feature already.
3) Reporting bugs directly in bugzilla creates a lot of noise and annoys
people who monitor traffic there. (Mozilla runs things like this from time
to time, from them I learned to have people report in a separate system
e.g. etherpad or email, and have someone triage and sort the reports before
creating Bugzilla tickets, see point 1) above.)
Google, who spends a lot of money doing stuff like this for security
exploits, narrows the circumstances radically:
http://www.chromium.org/Home/chromium-security/pwnium-4 .