Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

Jay Daley <jay@ietf.org> Thu, 06 August 2020 20:15 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
From: Jay Daley <jay@ietf.org>
In-Reply-To: <DCFC58DE-4AF3-4FDA-8EFC-90CDB794D5DE@akamai.com>
Date: Fri, 07 Aug 2020 08:15:35 +1200
Cc: "Livingood, Jason" <Jason_Livingood@comcast.com>, Rob Sayre <sayrer@gmail.com>, "ietf@ietf.org" <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DBDCADF9-984F-4EFB-B10A-19E7ABBF01D9@ietf.org>
References: <B8EC2B88-81B7-47F4-A9DF-34A49077857E@cable.comcast.com> <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com> <CAChr6SzXswgpjUJUWN=xhB2QiBn7FYEUJYos1+5WTjS_3oantg@mail.gmail.com> <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com> <DCFC58DE-4AF3-4FDA-8EFC-90CDB794D5DE@akamai.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/3XxnoQXtohYAnwGAnHwgOQ5zfXc>
Precedence: list

> On 7/08/2020, at 8:04 AM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
> 
> The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares.

I’ve run a bounty program that got exactly that, all from individuals using automated tools.  We paid in the region of $20 - $50 and after about 20 or so they dried up as all the basic things an automated scanner can find had been addressed.  There was no indication of anyone doing more sophisticated testing.  I was quite happy with it as a way of pushing us to take an "outside looking in" view and it was cheap and easy to administer but it basically just found the small issues we introduced ourselves in-between regular commissioned pen tests, which in my view are the one thing nobody can do without (for opsec that is).

Jay

> Maybe people will find unauthenticated access to the datatracker site and be able to do things there. Depends on what you think the risk is.

>  
> The OpenSSL website is not worth people hacking. (“Yes, thanks, being able to view the site with SSLv3 is deliberate.”)  Finding CVE bugs in the OpenSSL source was worth it, but OpenSSL never had a bug bounty program. Researchers are quite good about responsible disclosure.
>  
> Akamai does not have a bug bounty program. We also seem to be quite good about getting responsible disclosures; this week’s BlackHat presentation (https://blogs.akamai.com/2020/08/black-hat-presentation---web-cache-entanglement.html is our take on it) is an example. In the past I’ve given Tshirts to a couple of folks.

-- 
Jay Daley
IETF Executive Director
jay@ietf.org

Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
Re: Bounty: Consultation on DRAFT Infrastructure … John Levine
Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
Re: Bounty: Consultation on DRAFT Infrastructure … Jay Daley
Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
Re: Bounty: Consultation on DRAFT Infrastructure … Bron Gondwana
Re: Bounty: Consultation on DRAFT Infrastructure … Rich Kulawiec