Discussion:
Bug bounty framework?
Mason Loring Bliss
2021-04-25 18:43:23 UTC
Permalink
I lack the free time and familiarity needed to fix some of the things I'd
love to see fixed in FreeBSD, and I don't remember this idea coming up
previously, so I wanted to see what folks think about a framework for bug
bounties and similar.

Not too long ago I found myself trying to work through how to get Poudriere
to build things at an arbitrary prefix other than /usr/local and I offered
a donation to the Foundation in exchange for a working solution. It seems
that the process got much of the way there, and in any event I made the
donation as thanks for the work that had gone into it. (I'd moved on to
other things so I haven't exercised the stuff that was fixed. I'm hoping
to give it another try sometime soon.)

Recently, someone here noted that with FreeBSD 13 on Vultr VMs, reboots
hang, and I observe this as well. I've got several systems where FreeBSD
fails to load the kernel sporadically. There's an issue where FreeBSD on
KVM stops using the EFI console and quietly switches to a text console,
where you need to know this has happened to continue with installation.
There's a now-understood (thanks, RhodiumToad) issue where geom tasting
devices can consume them in a funny way that can't be undone without a
reboot, inhibiting some methods of installation. VIMAGE has (at least
historically) had a race that can lead to a system hang.

I've observed or been bitten by all these things, and I'd love to find some
way to participate in their remediation, and it seems like a useful notion
would be giving people a chance to commit to contributing to bug bounties
to be paid out to the Foundation when various things are fixed. It'd be a
purely altrustic motivation for folks who put time into fixing things, as
the fruits of their labour would be FreeBSD working better and the
Foundation getting more donations, but then, I see the BSD world as
existing based on altruism. (Take this and share! We hope you give back!)

A useful tool for this would be a listing of projects that have accrued at
least one backer and some way to define goals and results such that it's
clear when the bounty has been earned.

I'd love to hear thoughts about this.
--
Mason Loring Bliss (( "In the drowsy dark cave of the mind dreams
***@blisses.org )) build their nest with fragments dropped
http://blisses.org/ (( from day's caravan." - Rabindranath Tagore
linimon@portsmon.org linimon@portsmon.org
2021-04-26 19:55:17 UTC
Permalink
I don't remember this idea coming up previously, so I wanted to see what
folks think about a framework for bug bounties and similar.
Actually it _has_ been discussed before, but not very recently.

tl;dr: there's demand for it but no one has stepped up to do the work to
set it up :-)

There was a "general" open source bounty site started 6 or 7 years ago, but
it failed to get off the ground. (I am not going to link to it -- the most
recent email I got from it was an ad for home improvement work.)

And I can't speak for the Foundation, but in order to remain tax-exempt in
the US, it cannot be seen as a "pass-through" place for explicit work. i.e.
MajorCompanyX can't pay the Foundation to pay someone to do work.

Now myself I would think that bugfixes would fall outside of the worry-zone but
again I am not associated with the Foundation. So all I can do is to offer you
help setting up a wiki page or something. (In the past, I have shied away from
setting up some framework myself, because it would then be a conflict of interest
for me to take advantage of any of the offers.)

mcl
Li-Wen Hsu
2021-04-26 20:12:40 UTC
Permalink
Post by ***@portsmon.org ***@portsmon.org
I don't remember this idea coming up previously, so I wanted to see what
folks think about a framework for bug bounties and similar.
Actually it _has_ been discussed before, but not very recently.
tl;dr: there's demand for it but no one has stepped up to do the work to
set it up :-)
I feel it's mixing two different things? IIUC that "bug bounty"
mostly means that an organization (usually a big company) has a prize
to reward the people who report security issues, instead of selling
the 0day to the dark net. :-) I'm not sure as an open source, we
should have that, but I remember that I see some places there are
rewards for reporting kernel security issues, including FreeBSD (and
hope they forward the report to our security team.)

For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
projects. Here is an example I remember:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd

I guess leveraging those external services is better than setting up
our own at this point?

Bes,
Li-Wen
Yuri Pankov
2021-04-26 20:20:40 UTC
Permalink
Post by Li-Wen Hsu
Post by ***@portsmon.org ***@portsmon.org
I don't remember this idea coming up previously, so I wanted to see what
folks think about a framework for bug bounties and similar.
Actually it _has_ been discussed before, but not very recently.
tl;dr: there's demand for it but no one has stepped up to do the work to
set it up :-)
I feel it's mixing two different things? IIUC that "bug bounty"
mostly means that an organization (usually a big company) has a prize
to reward the people who report security issues, instead of selling
the 0day to the dark net. :-) I'm not sure as an open source, we
should have that, but I remember that I see some places there are
rewards for reporting kernel security issues, including FreeBSD (and
hope they forward the report to our security team.)
For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
I guess leveraging those external services is better than setting up
our own at this point?
I think the problem is in "(or more)" -- both sides need to know where
exactly to post/look for tasks.
Li-Wen Hsu
2021-04-26 20:36:47 UTC
Permalink
Post by Yuri Pankov
Post by Li-Wen Hsu
For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
I guess leveraging those external services is better than setting up
our own at this point?
I think the problem is in "(or more)" -- both sides need to know where
exactly to post/look for tasks.
Indeed, I think we can have a recommended list of the trustworthy
places, put it on the project's homepage or wiki first?

Li-Wen
Gleb Popov
2021-04-27 07:14:56 UTC
Permalink
<snip>
For the idea the original post described sounds like having a reward
for completing a specified task. It's more like a job posting for
seeking freelancers. But there is one (or more) for open source
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521#c3
https://www.bountysource.com/issues/75687739-new-driver-request-port-rtsx-from-openbsd-to-freebsd
I guess leveraging those external services is better than setting up
our own at this point?
Bes,
Li-Wen
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
Speaking of bountysource.com, it is a TERRIBLE site. I was the one who
posted the rtsx driver bounty, and after a while it turned out that
BountySource quietly takes money from your balance as a "fee for
inactivity". I lost about $100 before noticing this. From now I won't trust
in any general-purpose bug-bounting site unless it runs as a smart contract
for a block chain.

It'd be great if the Foundation implemented an ability to mention Bugzilla
PRs when making a donation.
Graham Perrin
2021-04-27 19:31:19 UTC
Permalink
… bountysource.com, it is a TERRIBLE site. I was the one who
posted the rtsx driver bounty, and after a while it turned out that
BountySource quietly takes money from your balance as a "fee for
inactivity". I lost about $100 before noticing this. …
Thanks for the hint; <https://www.bountysource.com/fees>

Re: alternatives to Bountysource, links out from
<https://github.com/Drive4ik/simple-tab-groups/issues/120#issuecomment-827844136>
may be of interest.

(Some of the preceding comments were Ukraine-oriented.)

HTH
grarpamp
2021-04-28 20:24:37 UTC
Permalink
Post by Gleb Popov
BountySource quietly takes money from your balance as a "fee for
Anyone can announce, fund, or even blog their own work on whatever
projects and bounties they want, directly as developers or subgroups
or entire OS projects, or from different groups of users or interests
even corporates, with or without intermediary coordinators or coordination,
even completely private with privacy capable coins, create M-of-N multisig
completion of work contracts, endowments earn interest/dividends, etc...
limitless varieties.

Decentralized distributed cryptocurrency is the way forward and is
the future, GovCorp money, payment, and financial systems have
been deprecated since "The Times 03/Jan/2009"...

https://coinmarketcap.com/

People are using cryptocurrency today.

As such, all FreeBSD entities, devs and users should have a
number of wallet addresses from among the more popular cryptos
already generated and at the ready to receive/send.

People would surely tip 10 DOGE to each of the next hundred
bugfree commits, and 10 BCH for...

Adopt and use crypto today :)

Mason Loring Bliss
2021-04-26 20:36:05 UTC
Permalink
Post by ***@portsmon.org ***@portsmon.org
And I can't speak for the Foundation, but in order to remain tax-exempt in
the US, it cannot be seen as a "pass-through" place for explicit work. i.e.
MajorCompanyX can't pay the Foundation to pay someone to do work.
Oh, hrm. I'll write to Foundation folks (if they don't see and respond
here) to see if something like this would be an acceptable structure
legally. I hadn't thought about it from that angle.
Post by ***@portsmon.org ***@portsmon.org
I feel it's mixing two different things? IIUC that "bug bounty"
mostly means that an organization (usually a big company) has a prize
to reward the people who report security issues,
That was probably not the right terminology for me to use, but it felt
close. Another analogy would be a walkathon, where kids sign people up to
donate to a charity with the donation being some amount per lap or per mile
or however it's measured.

I wouldn't have an opinion on a traditional bug bounty, where individuals
are rewarded monetarily for reporting bugs. This'd be more a feel-good
motivation for folks participating in getting defects fixed - "I helped get
this done, and the Foundation benefitted directly as a result."

A page on the wiki would probably be sufficient to track these things,
since there's no contract involved, if there's interest. I'd be happy to
volunteer time to help curate such a thing. I'd love to hear from the
Foundation, though, so I'll make contact.
--
Mason Loring Bliss ***@blisses.org http://blisses.org/
For more enjoyment and greater efficiency, consumption is being standardized.
linimon@portsmon.org linimon@portsmon.org
2021-04-26 22:09:34 UTC
Permalink
Post by Mason Loring Bliss
Another analogy would be a walkathon, where kids sign people up to
donate to a charity with the donation being some amount per lap or
per mile or however it's measured.
I like this idea. And, no one has ever suggested it before.

mcl
Continue reading on narkive:
Loading...