lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Oct 2013 14:02:13 -0400
From: Jeffrey Walton <>
To: Full Disclosure List <>,
 FunSec List <>
Subject: Going beyond vulnerability rewards

We all benefit from the amazing volunteer work done by the open source
community. That’s why we keep asking ourselves how to take the model
pioneered with our Vulnerability Reward Program - and employ it to
improve the security of key third-party software critical to the
health of the entire Internet.

We thought about simply kicking off an OSS bug-hunting program, but
this approach can easily backfire. In addition to valid reports, bug
bounties invite a significant volume of spurious traffic - enough to
completely overwhelm a small community of volunteers. On top of this,
fixing a problem often requires more effort than finding it.

So we decided to try something new: provide financial incentives for
down-to-earth, proactive improvements that go beyond merely fixing a
known security bug. Whether you want to switch to a more secure
allocator, to add privilege separation, to clean up a bunch of sketchy
calls to strcat(), or even just to enable ASLR - we want to help!

We intend to roll out the program gradually, based on the quality of
the received submissions and the feedback from the developer
community. For the initial run, we decided to limit the scope to the
following projects:

Core infrastructure network services: OpenSSH, BIND, ISC DHCP
Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
Open-source foundations of Google Chrome: Chromium, Blink
Other high-impact libraries: OpenSSL, zlib
Security-critical, commonly used components of the Linux kernel (including KVM)

We intend to soon extend the program to:

Widely used web servers: Apache httpd, lighttpd, nginx
Popular SMTP services: Sendmail, Postfix, Exim
Toolchain security improvements for GCC, binutils, and llvm
Virtual private networking: OpenVPN

How to participate?

Please submit your patches directly to the maintainers of the
individual projects. Once your patch is accepted and merged into the
repository, please send all the relevant details to If we think that the submission has a
demonstrable, positive impact on the security of the project, you will
qualify for a reward ranging from $500 to $3,133.7.

Before participating, please read the official rules posted on this
page; the document provides additional information about eligibility,
rewards, and other important stuff.

Happy patching!

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists