Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Sep 2017 21:25:41 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: The Internet Bug Bounty: Data Processing (hackerone.com)

Since these open-source software projects have been actively fixing security
issues and some of the issues has been announced in oss-security mailing list I
am writing about this hackerone project here as well:

https://hackerone.com/ibb-data

Policy:

The Internet Bug Bounty is offering rewards to security researchers who resolve
critical vulnerabilities in core infrastructure data processing libraries.
Critical vulnerabilities in these libraries have widespread consequences to the
internet community.

Bounty Qualification:

- Only Critical vulnerabilities that demonstrate unambiguous remote code
  execution are eligible under this program. Findings with alternative impact
  or severity are not in scope at this time.

- Your Proof of Concept MUST demonstrate that remote exploitation can be
  easily, actively, and reliably achieved.

- Only versions currently supported by the upstream project are eligible.
  Please verify your issue is present in a current release before submission.

- The individual library maintainers have final decision on which issues
  constitute security vulnerabilities. The Panel will respect their decision,
  and we ask that you do as well. It's important to keep in mind that not all
  submissions will qualify for a bounty, and that the decision to award a
  bounty is entirely at the discretion of the Panel.

In scope projects currently:

https://github.com/the-tcpdump-group/libpcap
https://github.com/ImageMagick/ImageMagick
https://github.com/glennrp/libpng
http://hg.code.sf.net/p/graphicsmagick/code/
https://github.com/curl/curl
https://github.com/the-tcpdump-group/tcpdump

I hope to motivate people with this email. I understand that oss-security
mailing list is not meant to announce these in regular basis, but I consider
this hackerone project highly relevant for the researchers reading this list.

Also if you have spare time please help projects like Google's oss-fuzz
https://github.com/google/oss-fuzz to get us more safer internet for everyone.

-- 
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.