Posted by greggles on March 27, 2012 at 8:17pm
I just read this article on forbes: shopping for zero days which points out that bounties for bug reports are less valuable when the black market is willing to pay much more money for the issue.
Of course I hope that people will always report security issues to security@drupal.org and work with that process to fix issues it's an interesting read, nonetheless.
Comments
Re: Security bugs: Bounties vs. Blackmarket
I saw that article too and immediately thought of Drupal. Even though no one offers any kind of financial reward for Drupal bugs, based on the article it's not like you could compete anyway. If a company is going to scoff at $60,000 or even one million dollars for a bug, it's impossible to compete with that in an open source environment.
Security bounty for Drupal
Whitefir design pays for Drupal security vulnerabilities.
See https://www.whitefirdesign.com/about/drupal-security-bug-bounty-program....
Do you know of anyone who has
Do you know of anyone who has collected their bounty? I'm not aware so far.
knaddison blog | Morris Animal Foundation
Not that I know. AFAIK we
Not that I know. AFAIK we have no reports from whitefir, and no one mentioned the bounty in the initial report.
I'm currently contemplating whether to go for it, take Chx's offer or wait until Munich comes around @ http://heine.familiedeelstra.com/drupal-exploit-what-to-do .
Consider Zero Day Initiative, too
A few years ago I tried sending an Ubercart bug to http://zerodayinitiative.com/ but they were not interested. I've talked to some of their folks since and they said they would likely be interested in Drupal vulnerabilities now.
knaddison blog | Morris Animal Foundation
Thanks! I'm currently looking
Thanks!
I'm currently looking at ZDI, iDefense and SecuriTeam