On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo tylerromeo@gmail.com wrote:
Therefore, I thought it may be beneficial to take that over to Wikipedia and start our own bug bounty program. Most likely, it would be strictly a hall of fame like structure where people would be recognized for submitting bug reports (maybe we could even use the OpenBadges extension *wink* *wink*). It would help by increasing the number of bugs (both security and non-security) that are found and reported to us.
Any thoughts?
Some time ago I ran a number of public exercises testing various aspects of Wikipedia. I ran into a number of issues:
1) It takes a lot of preparation and time spent to do well. 2) Essentially 100% of bugs reported by naive reporters are DUPLICATE, WONTFIX, or are in the backlog of some feature already. 3) Reporting bugs directly in bugzilla creates a lot of noise and annoys people who monitor traffic there. (Mozilla runs things like this from time to time, from them I learned to have people report in a separate system e.g. etherpad or email, and have someone triage and sort the reports before creating Bugzilla tickets, see point 1) above.)
Google, who spends a lot of money doing stuff like this for security exploits, narrows the circumstances radically: http://www.chromium.org/Home/chromium-security/pwnium-4 .