Back to top

Technology

Broadly defined "technology" e.g. software, water pumps

RFC - Security Bounties in Open Source

The other day I broached the idea of a security bounty in the Drupal project. I had first heard about this concept from the Mozilla Foundation's Security Bug Bounty which appears to be the most famous of these.

Why Security Bug Bounty's are a good idea

This is pretty simple:

  1. It provides at least some motivation for folks to actually look at the code and find security bugs making the software more secure.
  2. More folks looking at the code is always a good thing.
  3. Just the concept and the existence of the program reminds people that we take security seriously, and informs them of the proper way to report a bug.
  4. In the case of the Drupal Association - which can't make decisions about the code based about the statutes (en pdf) (more formats/languages).

Generalized Security Bug Bounty System

This concept seems to me like it could be generalized for any software project. Here are the rules I came up with, based upon the Mozilla foundation's rules.

<

ul>

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Security bug is present in the most recent version of the Mozilla Suite, Firefox, and/or Thunderbird, as released by the Mozilla Foundation.
  • Security bugs in or caused by additional 3rd-party software (e.g. Java, plugins, extensions) are excluded from the Bug Bounty program.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the project (such as by providing check-in reviews).
  • Employees of the project (if applicable) are ineligible.
  • If multiple people report the bug the reward will be split among them equally.
  • People Involved: 
    timeline: 

    Privacy in the Digital Age - Up a Clickstream Without a Paddle

    So, privacy. That's kinda an important thing right now. As we go around the internets we leave all sorts of information about ourselves online. That information is valuable. No, I mean really valuable. Even if you don't submit your personal information (like name, or address) to a website you are still leaving providing private information just by visiting a site. Don't believe me? Look at this press release from hitwise about real estate. Notice anything? Like how visits to real estate sites are a leading indicator of home purchasing behavior. Yeah, your visits to sites, or "clickstream" is a predictor of what you think about and what you are planning to do. Looking for a house - you visit a real estate site. Looking for a new job - you visit a job site. Looking for...you get it. Your clickstream is a mirror of you - even without personal information associated with it.

    Big Evil Google

    What is the company that concerns you most when it comes to privacy? It's GOOGLE right? Man, their search is so good. Their search is good and their information awareness is so strong and not only do they have my clickstream (cause I only find sites through their site and they know what I click) now they also have my email, spreadsheets & text documents, blog, photos, credit cards & address - shoot, they have everything too. Organized. Segmented. Cross referenced. Searchable. Um, yikes.

    Privacy of your clickstream

    Category: 
    People Involved: 
    timeline: 

    how to think like a programmer if all you know is cooking

    So, not many people understand programming. Here's a funny/interesting way to describe programming in terms of cooking. I like it.

    Similarly, I once heard an analogy about asking a software engineer to build a bridge from San Francisco to Hawaii. A software engineer would say "no problem" and then do:


    while (notInHawaii) {
    buildbridge();
    }

    People Involved: 
    timeline: 

    Unlocked GSM Cell Phone - running Linux, for less than an iPhone

    So, when I saw the iPhone I got all excited and wanted to have one. Then I learned it would be locked down to Cingular's network. That won't work. I'm going to Argentina/Chile/Uruguay for about a year leaving in September of this year. So, if I get a new phone it had better work in Argentina.

    People Involved: 
    timeline: 

    Amazon Web Services? Not with Alexa being so bad

    So, Amazon is announcing their fancy Amazon web services system. This is supposedly so that "developers [get] direct access to Amazon's robust technology platform."

    Well, as someone who uses the Alexa traffic data on a regular basis, I can tell you one thing - Alexa is apparently running on some separate "platform" that really really sucks.

    Category: 
    People Involved: 

    Pages

    Subscribe to RSS - Technology