IETF Logo Mail Archive

Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

Bron Gondwana <brong@fastmailteam.com> Fri, 07 August 2020 01:01 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 456B63A0B67 for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 18:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=Gn0vCZy9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=h1c7tu+y
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id luFownH44P6H for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 18:01:50 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85EEC3A0B66 for <ietf@ietf.org>; Thu, 6 Aug 2020 18:01:50 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 8370595D for <ietf@ietf.org>; Thu, 6 Aug 2020 21:01:49 -0400 (EDT)
Received: from imap7 ([10.202.2.57]) by compute1.internal (MEProxy); Thu, 06 Aug 2020 21:01:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:subject:content-type; s=fm3; bh=W7ZC5aN U2gs76ECVvjLtnuElB30gJYNWy+4TyQUb1Rc=; b=Gn0vCZy9voWVNzvJUo8oiwI Jwzj1VTixntSik5C1KawKZRkbaVkSwyPC8p54I2nkoBVLbgPtevymMINbnzTf6du yK+YOiYLrCy8oaXxPDG3Ye84EbWpPDlO+Rx/GuocxOFuPFSDsBgT4Zv6D5ip19jr d3X2LxYu+A8IiUCbt6ahoDDPdv7WiHz2nlzAw3QvJhxxtgq+i50mtFWS/6CLWQ9B ijDYH0moS32/ozagUzL3d+/E4fjhEdzs+NbL9jiLF1hT3E8UPTK9JTHeeha78nEl wPBxs1VF35GQbMQ8BCErRkrUxE7TmBg4H6i9q45V4cCZTeNLhXCab/S6PePprJQ= =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=W7ZC5a NU2gs76ECVvjLtnuElB30gJYNWy+4TyQUb1Rc=; b=h1c7tu+y5OR+Rbe2o5fnvj L1LIO7/pFdUTc2tlZ6GKubGWYWi6DKMBQ6FTRYcKthFsrABRdaBPVy+qXzcZHdYv wSQ3Hh9cVn7HkLwR4SXBYl8t6lg2+r9vG9Gpvknfy5A3htWoqJ/D24eSyL3YUcVJ uFomqyU0MLq/UzO4ms9TdZJBw0S1YHmd/NUcv/PCZFR+IAORPSzX9hMjsVl7/YIn WDdPK8kJjaywPxF0D+r38+JDmWheACtiwkNu3ZOCjZKYfD8LB+aawHoJIJwCwgRE PoS/m5C86VnqPOH6Y60yfZUsXjtLSBMzPpMHch7YAqCBgbAa1Zncpr7Tcn/kaCGw ==
X-ME-Sender: <xms:_KcsX2HS31F2Ize1YpCY3nHpd24sKVWCPgDw8ESCVcoz2xDVYjg_Ig>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrkedugdegudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrgdtre erreerjeenucfhrhhomhepfdeurhhonhcuifhonhgufigrnhgrfdcuoegsrhhonhhgsehf rghsthhmrghilhhtvggrmhdrtghomheqnecuggftrfgrthhtvghrnhepkeejueehheeute fhjedtvdejvdevuefhtedvffetvdehheeufffffedttdffueegnecuffhomhgrihhnpehf rghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpegsrhhonhhgsehfrghsthhmrghilhhtvggrmhdrtghomh
X-ME-Proxy: <xmx:_KcsX3XVsUrLWJn2KlQvUO4dETkDJpwQ3jkeoqSnIJimNpQfe9IwKQ> <xmx:_KcsXwJZu8iY9TovL9aLbMi8ttu85u0MLS2p2NC6xQ1-19G7WM7Ghg> <xmx:_KcsXwEeeNiV2A0Y_8O4A-KGnFkmlJv6qGcjWFv5C6vqDi9DCkKf1A> <xmx:_acsX9UHdZ0hD5tqzcT93Z6DSkTQCp5Z-NoEF-WhYyDA0rVbQ3T-WA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DA1DA180231; Thu, 6 Aug 2020 21:01:48 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-143-g3d58b38-fm-20200806.002-g3d58b387
Mime-Version: 1.0
Message-Id: <f73f5c02-edcb-434a-8077-1b4f4cab7749@dogfood.fastmail.com>
In-Reply-To: <DBDCADF9-984F-4EFB-B10A-19E7ABBF01D9@ietf.org>
References: <B8EC2B88-81B7-47F4-A9DF-34A49077857E@cable.comcast.com> <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com> <CAChr6SzXswgpjUJUWN=xhB2QiBn7FYEUJYos1+5WTjS_3oantg@mail.gmail.com> <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com> <DCFC58DE-4AF3-4FDA-8EFC-90CDB794D5DE@akamai.com> <DBDCADF9-984F-4EFB-B10A-19E7ABBF01D9@ietf.org>
Date: Fri, 07 Aug 2020 11:01:27 +1000
From: Bron Gondwana <brong@fastmailteam.com>
To: ietf@ietf.org
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Content-Type: multipart/alternative; boundary="717b961babbf4455ad8464665b2ef9b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1d-Li4oCm0mtoWlvZR0-lErtuHw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2020 01:01:52 -0000

On Fri, Aug 7, 2020, at 06:15, Jay Daley wrote:
> 
> 
> > On 7/08/2020, at 8:04 AM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
> > 
> > The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares.
> 
> I’ve run a bounty program that got exactly that, all from individuals using automated tools.  We paid in the region of $20 - $50 and after about 20 or so they dried up as all the basic things an automated scanner can find had been addressed.  There was no indication of anyone doing more sophisticated testing.  I was quite happy with it as a way of pushing us to take an "outside looking in" view and it was cheap and easy to administer but it basically just found the small issues we introduced ourselves in-between regular commissioned pen tests, which in my view are the one thing nobody can do without (for opsec that is).

You're not going to get anything good for $50!  We've paid up to $4000, which is still not heaps but does attract people willing to do more detailed research than just running an automated scanner:

https://www.fastmail.com/about/bugbounty/

One thing to keep in mind - you will get quite a lot of work to do just processing bug reports.  I'd say we've spent more on the staff time to review incoming reports and assess them for correctness (not to mention arguing with cranks who are sure they deserve a payout for some nonsense that a tool told them) than we have on payouts.

Bron.

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@fastmailteam.com

v2.23.0 | Report a Bug | By Email