Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 21:25:41 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: The Internet Bug Bounty: Data Processing (hackerone.com)

Since these open-source software projects have been actively fixing security
issues and some of the issues has been announced in oss-security mailing list I
am writing about this hackerone project here as well:

https://hackerone.com/ibb-data

Policy:

The Internet Bug Bounty is offering rewards to security researchers who resolve
critical vulnerabilities in core infrastructure data processing libraries.
Critical vulnerabilities in these libraries have widespread consequences to the
internet community.

Bounty Qualification:

- Only Critical vulnerabilities that demonstrate unambiguous remote code
  execution are eligible under this program. Findings with alternative impact
  or severity are not in scope at this time.

- Your Proof of Concept MUST demonstrate that remote exploitation can be
  easily, actively, and reliably achieved.

- Only versions currently supported by the upstream project are eligible.
  Please verify your issue is present in a current release before submission.

- The individual library maintainers have final decision on which issues
  constitute security vulnerabilities. The Panel will respect their decision,
  and we ask that you do as well. It's important to keep in mind that not all
  submissions will qualify for a bounty, and that the decision to award a
  bounty is entirely at the discretion of the Panel.

In scope projects currently:

https://github.com/the-tcpdump-group/libpcap
https://github.com/ImageMagick/ImageMagick
https://github.com/glennrp/libpng
http://hg.code.sf.net/p/graphicsmagick/code/
https://github.com/curl/curl
https://github.com/the-tcpdump-group/tcpdump

I hope to motivate people with this email. I understand that oss-security
mailing list is not meant to announce these in regular basis, but I consider
this hackerone project highly relevant for the researchers reading this list.

Also if you have spare time please help projects like Google's oss-fuzz
https://github.com/google/oss-fuzz to get us more safer internet for everyone.

-- 
Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.