IETF Logo Mail Archive

Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

"Salz, Rich" <rsalz@akamai.com> Thu, 06 August 2020 20:04 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3363A0E7A for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 13:04:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCT8dABJqdrN for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 13:04:33 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E01563A0E7B for <ietf@ietf.org>; Thu, 6 Aug 2020 13:04:33 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 076K2nY4008496; Thu, 6 Aug 2020 21:04:31 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=9RtivFi2azdYHgmTPEFZq+V7pYgfFPOx1wrtbnGVM0Q=; b=G28+ToJMQFOanxQf6mlfUM0IPlgJmeGlBCOl0KSK6ZatbsP0d9C2sRX145YSdzqJuIVO yzsPT7HFNkcyzHewBxWEBXNVXgAJECGNuayUEouFrFfnjkldHadHhW2FDqLhFnHvv5oj bM21M0dG/+9P/rYNoXWMN608TyHaOKO5JasrnOIGo0u6q7V8FzEgAo9grEqnKo+DKCFz gdioucUmJM3B6PX4VEr78v1licSmJsa9OdeKqFwAjSSRTUunnSM1PCU2NcfkH/nP5Xn8 sir1+vygxgvylW+LVM6qqLYLLLs0zIQN4LSnrPbXf/zb0h9SV6Yq/1i4rW68hu+RNcNh Bg==
Received: from prod-mail-ppoint4 (a72-247-45-32.deploy.static.akamaitechnologies.com [72.247.45.32] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 32n6c0xp6s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 06 Aug 2020 21:04:31 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 076K4VMM021842; Thu, 6 Aug 2020 16:04:31 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.115]) by prod-mail-ppoint4.akamai.com with ESMTP id 32n3qyt09x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 06 Aug 2020 16:04:30 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.165.119) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.165.122) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 6 Aug 2020 15:04:26 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.165.119]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.165.119]) with mapi id 15.00.1497.006; Thu, 6 Aug 2020 15:04:26 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>, Rob Sayre <sayrer@gmail.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Thread-Topic: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Thread-Index: AQHWbAJjNrTOc3S+5k6Up6Y2g3tuBakrQyOAgACDwACAAARWgP//xxUA
Date: Thu, 06 Aug 2020 20:04:25 +0000
Message-ID: <DCFC58DE-4AF3-4FDA-8EFC-90CDB794D5DE@akamai.com>
References: <B8EC2B88-81B7-47F4-A9DF-34A49077857E@cable.comcast.com> <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com> <CAChr6SzXswgpjUJUWN=xhB2QiBn7FYEUJYos1+5WTjS_3oantg@mail.gmail.com> <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com>
In-Reply-To: <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.39.20071300
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.44.224]
Content-Type: multipart/alternative; boundary="_000_DCFC58DE4AF34FDA8EFC90CDB794D5DEakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-06_15:2020-08-06, 2020-08-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=904 malwarescore=0 adultscore=0 suspectscore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008060129
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-06_15:2020-08-06, 2020-08-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=873 clxscore=1015 bulkscore=0 malwarescore=0 phishscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 adultscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008060129
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/hzIpFthWY7Ri7gfEMTe7uCLzO80>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 20:04:35 -0000

The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares. Maybe people will find unauthenticated access to the datatracker site and be able to do things there. Depends on what you think the risk is.

The OpenSSL website is not worth people hacking. (“Yes, thanks, being able to view the site with SSLv3 is deliberate.”)  Finding CVE bugs in the OpenSSL source was worth it, but OpenSSL never had a bug bounty program. Researchers are quite good about responsible disclosure.

Akamai does not have a bug bounty program. We also seem to be quite good about getting responsible disclosures; this week’s BlackHat presentation (https://blogs.akamai.com/2020/08/black-hat-presentation---web-cache-entanglement.html is our take on it) is an example. In the past I’ve given Tshirts to a couple of folks.

v2.23.0 | Report a Bug | By Email