Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Rob Sayre <sayrer@gmail.com> Thu, 06 August 2020 19:46 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A843A0E46 for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 12:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rX-qjnDxUYd for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 12:46:02 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78B633A0E44 for <ietf@ietf.org>; Thu, 6 Aug 2020 12:46:02 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id z3so31261289ilh.3 for <ietf@ietf.org>; Thu, 06 Aug 2020 12:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yXoRdb6vF3EViICNNX+2TY2/wfsH/nAKMXHVXW6Kc8U=; b=miltnjZBFw6jkAKCwxOfftg1YMSCbmygLk3H8sILGZ16YNfWtvh3Ztzf8abJfchIkI Zno+IKopMjttdMHCtVQ0TpVclWPgX0QXlg5bO8S7btEFC9JWfUU49tv1Wu5nmPFvSW1H hmgUJ7/M9SpEzKLY42Eg/eoevzNkv9HPxwKJfDlfHxu1JjObrtHKHXGLDYY9mwCBn8zt yRU4tBpvK9MVmx5FpgnCvnHidK4RBZDPrIYtvI72yd9f1sppY/dXgvsrBpr+QOb8FFH/ Olzdu69g8hToXydFvt/WpoA7xxLTN/W5newxrz7Jm82TNS8SceSdFrmx+F35yCc+dZnb G7kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yXoRdb6vF3EViICNNX+2TY2/wfsH/nAKMXHVXW6Kc8U=; b=UuwRDv/F1W/PQQFLA3EteYDXmqxTDOXkA5Oh9d5HNpfKjO2YSLpTBJCzfCYZx5KhXX GTLhJauj+P3G70N9UjdR15gEo6R5Rclx5E31GdCTxecm6ob+XLqYaeUq2dSyptSnXvXN QvLvtAzgtffqtywq5W6OxeC0FRZMUxChuKvcgh91jiKrA2XXZo5lwZWDSSaeuVzf0oXk X4Pq4+yLajB2a/Cn29hDQ2h8XDhoY4a+oBQmFxbNVtXYMqR8oGQvN6+Kv75lkT8fD5OG t1ZuC7nZlqT1H1ofO5GS1+ftcc8hjVAar0EAcX305mfyPbC5vwipdsdqHMUJjly3I4QZ ZE1A==
X-Gm-Message-State: AOAM531pjR3cOiriAfvOEp5z+ewqly/cZWNFprKFDDXGpwsUtVPB1PcQ 2/TkZe7vHqcb3TpzgBAIiiSazIbWUUoZ6+WZMQU=
X-Google-Smtp-Source: ABdhPJzTsB/l76APg9WCWtkTS61Ac0LKpVNoVeJU1NyatfQP5XJESplHCsH5vgrm4T12nXB2k48uDoVep1d7yob/uSA=
X-Received: by 2002:a05:6e02:1212:: with SMTP id a18mr657369ilq.73.1596743161366; Thu, 06 Aug 2020 12:46:01 -0700 (PDT)
MIME-Version: 1.0
References: <B8EC2B88-81B7-47F4-A9DF-34A49077857E@cable.comcast.com> <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com> <CAChr6SzXswgpjUJUWN=xhB2QiBn7FYEUJYos1+5WTjS_3oantg@mail.gmail.com> <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com>
In-Reply-To: <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 06 Aug 2020 12:45:50 -0700
Message-ID: <CAChr6SwfD2SAhK6H7GkrHpMK3nABw9iHBqw9XA6RZynhax8VKQ@mail.gmail.com>
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ee4e8d05ac3abcdb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/12bhojOUwml9IvvHQhUfSbCtuTM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 19:46:04 -0000
Both (I donate the bounties). I would suggest contracting it out to something like Hackerone for an experiment, so the initial strain on the IETF is low. thanks, Rob On Thu, Aug 6, 2020 at 12:28 PM Livingood, Jason < Jason_Livingood@comcast.com> wrote: > I have heard that some security researchers may not bother reporting > absent a small bounty. So I would love to hear from any of you that may > have direct experience either (1) being paid a bounty as a security > researcher or (2) working at company that pays bounties (such as reacting > to/validating those bugs). > > > > Thanks > > Jason > > > > *From: *ietf <ietf-bounces@ietf.org> on behalf of Rob Sayre < > sayrer@gmail.com> > *Date: *Thursday, August 6, 2020 at 3:14 PM > *To: *"Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org> > *Cc: *"ietf@ietf.org" <ietf@ietf.org> > *Subject: *Re: Bounty: Consultation on DRAFT Infrastructure and Services > Vulnerability Disclosure Statement > > > > On Thu, Aug 6, 2020 at 8:21 AM Salz, Rich <rsalz= > 40akamai.com@dmarc.ietf.org> wrote: > > > * Whether or not this statement should be supplemented with a > "bug bounty" program. > > In my experience (several years running openssl.org > <https://urldefense.com/v3/__http:/openssl.org__;!!CQl3mcHX2A!QieyyWr7vAnR2jz6yx1D3fxr_mu4TMQOtrCTYOm7swW6-DqpFLzP5ztk1WNK4dInPmIXuesN$>), > bug bounties for websites are not worthwhile. > > > > It really depends on how complicated the website is. Lots of web software > companies have bounty programs: <https://hackerone.com/bug-bounty-programs > <https://urldefense.com/v3/__https:/hackerone.com/bug-bounty-programs__;!!CQl3mcHX2A!QieyyWr7vAnR2jz6yx1D3fxr_mu4TMQOtrCTYOm7swW6-DqpFLzP5ztk1WNK4dInPjBP5Y6D$> > > > > > > I think the IETF infrastructure might be able to use one. Trying it out > seems like a reversible decision, too. > > > > thanks, > > Rob > > >
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … John Levine
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Jay Daley
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Bron Gondwana
- Re: Bounty: Consultation on DRAFT Infrastructure … Rich Kulawiec