Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABejAM+hhgCipLzUycSV-RszcF6un45CncGFT9w0Yc69qNcbjQ@mail.gmail.com>
Date: Fri, 21 Sep 2018 21:12:15 -0700
From: Justin Ferguson <justin@...c.co>
To: oss-security@...ts.openwall.com
Cc: fulldisclosure@...lists.org
Subject: bounties

Hello,

I was curious about peoples experiences with bug bounties particularly
those through the prominent clearing houses for them. My experience is
that I have been either ripped off or extremely slow-walked in payment
that was substantially below the listed payout in every single
instance. I'm curious how accurately that reflects other peoples
experiences.

In the first series of findings, the vendor, a popular open source
component simply patched the bugs and refused to close the tickets
triggering payout for over a year. Attempts at resolving this through
the clearing houses support produced an endless series of excuses
mostly revolving around their not having any insight into their own
database (which is probably true). After a year or so, the ticket was
finally closed and the pay out several hundred dollars less than the
enumerated payout. I refused the bounty citing these complications and
insisted that the finding as a work for hire that was rejected and
requested that the patch be reverted as a result, which was just
ignored.

In the second series, the vendor, a prominent hardware company, stated
that a one line fix with no usability impact (the patch is to move the
line up one line so that it is included in the mutex lock) was found
and "partly fixed" over a month prior and that a full patch should be
released soon. That was several months ago and looking through their
reports, their public repositories, et cetera it appears to be totally
and entirely something they made up as the bug still exists. This
meshes with my thoughts that there even was such a thing as a partial
fix for x() mutex.lock() vs mutex.lock() x();.

In the third instance, the vendor, an anti-virus vendor in Europe,
stated that they were not able to reproduce the issue and didn't see
any issue. There were multiple things reported to them and their
circumstances were different as a context switch meant I was turning
in incomplete work just to attempt to get the issues patched. After
months of them coming back and asking the same question repeatedly,
being told the same answer repeatedly and continually ignoring very
basic questions about their attempts to reproduce, they closed the
matter as not reproducible. Upon further review, they could not have
possibly reviewed anything as the issue is blatantly clear and obvious
implying that they must not have even looked at the matter. In
additional findings reported to them, they've outright ignored the
matter entirely.

Thus, my experience has thus far been that bounties, particularly
those through the clearing houses are basically enabling a 1990s
pre-full-disclosure series of processes under the pretense of the
opposite, but in practice mostly just ripping works for hire off. This
clearly isn't the case across the board, but its been true in every
instance of my participation.

-me

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.