The one obvious flaw is the "email us for our PGP key" - distributing the public key in private and over an insecure channel makes it vulnerable to replacement.
Has anyone written a "best practices" guide for designing a security page ?
In theory, PGP public keys shouldn't depend on being sent over a more-secure medium like SSL, because they're signed. One of the main points of PGP's design is that you can't spoof a public key, because you can't spoof its signatures.
That being said, in practice, I don't know that everyone is diligent about checking signatures of public keys they receive. An attacker could create a spoofed key, sign it with several other identities controlled by the attacker, and hope those signatures are enough to fool the unweary.
Hey githubbers, could you please stop repeating the tired "responsible disclosure" meme?
Full disclosure is not irresponsible and attempts to frame it as such are bordering on malicious toward the exact community in which you are attempting to engender goodwill.
I disagree that "responsible disclosure" is tired, nor a meme.
Software development is hard. Most projects are developed by teams- not single contributors. Consequently, part of reporting bugs is enduring the back and forth of communications with teams. Reporting bugs is not an all-or-nothing game.
Isn't $5000 ridiculously low compared to the black market value of a GitHub exploit, or the time required to develop it?
Assuming a company thinks it's pretty secure, putting real money on the line (the same money you'd normally pay an expert to pentest your system) would get some more prolific minds involved.
No, it is probably not. People have weird ideas about how much random web bugs are worth. Big ticket bugs are easily monetizable, and/or attack a huge install base with a very slow patch cycle. People hear about 5-6 figure bugs, but those are typically reliable browser clientside RCEs.
It is easy to think that but I think that isn't the case for a few reasons:
- You only need one person to report it, and so if Nefarious Nigel has found it and is planning to use for profit, then Sweet Sarah find it and reports it then it worked. I imagine this is the case for the majority of bugs (but can't prove it).
- $5000 isn't in a different order of magnitude to Google's rewards, and they paid out several million dollars. This demonstrates that it does motivate people but also that adding a 0 on to that would likely have a far larger impact on revenue than Nefarious Nigel and his evil plans.
- I think a large number of smart people would (rightly) be scared about taking the black market route, but are motivated when they know their isn't a legal risk. Or put differently the risk to reward ratio ("pot odds") becomes worth it for this value for legal prize.
Making 5k legally might be more appealing than making 20k on the black market, for example. When you have to hide your tracks and risk getting caught a lower for sure sum might be more appealing. Also, Github is new at this, they might raise the bounty once they see how the program progresses.
Bug bounties are rarely competitive with their black-market value. I think in most cases they're intended more as a "thanks!" than a "please don't hack us".
It is a mistake to assume that bug bounties exist to compete with black market prices.
I argue that bug bounties are a pressure release valve for people who know that there's a problem, but are unsure if they're at risk of getting lawyer'd or prosecute'd for disclosing vulns.
No private entity can compete with nation states for vulnerability rewards.
Someone on the black market will almost always pay more than a company. The real value in responsible disclosure is typically from a consulting contract that may follow the report. Their leaderboard list also seems like a good way to build credibility in the community as well.
Great to see Github recognizing processes for security researchers between the ages of 13-18 in the FAQ. In the new age of crowdsourced skills, it's good to see age not playing a part as a barrier.
I wonder if the reward values have changed since the beta? I'm sure it is much harder to find anything now than it would have been back then, assuming they got a good turnout from really experienced people and 7-8 months of headstart.
I especially like that they have 'rules for us' and also they have a section at the bottom which discusses discretionary bounties for their properties not covered in the main list.
If you're referring to the browser screenshot I think it's Opera (which is now based on Chromium) rather than Firefox. That will at least explain some of the similarities.
[+] [-] ig1|12 years ago|reply
Has anyone written a "best practices" guide for designing a security page ?
[+] [-] tlrobinson|12 years ago|reply
[+] [-] jarrett|12 years ago|reply
That being said, in practice, I don't know that everyone is diligent about checking signatures of public keys they receive. An attacker could create a spoofed key, sign it with several other identities controlled by the attacker, and hope those signatures are enough to fool the unweary.
[+] [-] sneak|12 years ago|reply
Full disclosure is not irresponsible and attempts to frame it as such are bordering on malicious toward the exact community in which you are attempting to engender goodwill.
[+] [-] droopybuns|12 years ago|reply
Software development is hard. Most projects are developed by teams- not single contributors. Consequently, part of reporting bugs is enduring the back and forth of communications with teams. Reporting bugs is not an all-or-nothing game.
[+] [-] flyinglizard|12 years ago|reply
Assuming a company thinks it's pretty secure, putting real money on the line (the same money you'd normally pay an expert to pentest your system) would get some more prolific minds involved.
[+] [-] tptacek|12 years ago|reply
[+] [-] TomAnthony|12 years ago|reply
- You only need one person to report it, and so if Nefarious Nigel has found it and is planning to use for profit, then Sweet Sarah find it and reports it then it worked. I imagine this is the case for the majority of bugs (but can't prove it).
- $5000 isn't in a different order of magnitude to Google's rewards, and they paid out several million dollars. This demonstrates that it does motivate people but also that adding a 0 on to that would likely have a far larger impact on revenue than Nefarious Nigel and his evil plans.
- I think a large number of smart people would (rightly) be scared about taking the black market route, but are motivated when they know their isn't a legal risk. Or put differently the risk to reward ratio ("pot odds") becomes worth it for this value for legal prize.
[+] [-] eyeareque|12 years ago|reply
[+] [-] ceejayoz|12 years ago|reply
[+] [-] droopybuns|12 years ago|reply
I argue that bug bounties are a pressure release valve for people who know that there's a problem, but are unsure if they're at risk of getting lawyer'd or prosecute'd for disclosing vulns.
No private entity can compete with nation states for vulnerability rewards.
[+] [-] aspir|12 years ago|reply
[+] [-] bugcrowd|12 years ago|reply
[+] [-] homakov|12 years ago|reply
[+] [-] sneak|12 years ago|reply
[+] [-] nilsjuenemann|12 years ago|reply
https://twitter.com/totally_unknown/status/42899282447475916...
Don't expect to earn easy cash here. :)
[+] [-] georgemcbay|12 years ago|reply
[+] [-] pearjuice|12 years ago|reply
[+] [-] TomAnthony|12 years ago|reply
I especially like that they have 'rules for us' and also they have a section at the bottom which discusses discretionary bounties for their properties not covered in the main list.
[+] [-] nodesocket|12 years ago|reply
[+] [-] dimillian|12 years ago|reply
[+] [-] mattkirman|12 years ago|reply