The European Parliament has approved budget for VLC bug bounty program
hackerone.comIs anyone else concerned at the perverse incentives created by bug bounties on open source software?
Monetizing bugs may end up encouraging the creation of insidious, underhanded bugs explicitly so that bounties can later be claimed by other parties supposedly at arms length.
This seems a bit paranoid. It's not like OSS doesn't have code review processes.
It pays to be paranoid. I believe I'd be able to add exploitable bugs that would not be detected in most code reviews; there's a large library of techniques available from underhanded C competitions and similar.
If malicious people can add exploitable bugs and claim a bug bounty later, then they can also add exploitable bugs to actually exploit them. So I'd say that bug bounties also work here: they create an incentive to review the code of open-source projects more closely.
After a look at some of the bugs linked at http://www.underhanded-c.org/_page_id_2.html, they are very niche and difficult to exploit in any meaningful way. Not only that, but even a mediocre test suite would find something fishy with most.
>"It pays to be paranoid."
Then, it's not paranoia.
For those wondering, here is a link to underhanded c http://www.underhanded-c.org/_page_id_2.html
I'm not concerned. First, with git we can look who introduced the bugs. Second, the worst-case you fear would still imply development of the project, which is good. After all, you can't maliciously introduce a bug without changing anything.
It would be nice if they also approved one for Android Stagefright.
All monthly Android security bulletins from this year have critical CVEs in the media system.
I think Google can afford to pay for that.
Why VLC?
Because it's software the EU institutions use.
EDIT: VLC was the third-highest ranked one from a survey on what software to study, with the two already reviewed ones (KeePass and Apache HTTPD) being above it.
It's because VLC was written in Europe, in Paris specifically.
It's more multinational now, but still primarily a European project.
Realistically they are not going to fund an American project. I know the Internet makes "country" semi-obsolete (at least when describing software), countries themselves still care a lot about that.
They funded a review for Apache HTTPD before, and basically all other candidates are international projects: https://joinup.ec.europa.eu/news/ec-audit-apache-http-serve-...
I wouldn't be surprised though if EU-centric communities were more likely to know/care about this initiative (and thus voted), putting 2 european projects in the top 3.
The internet does not make countries obsolete. Who thinks that is inside a bubble that can burst horribly painfully.
The internet is a way to share information very fast and very cheap, but that's it. There are still countless of other dimensions that are more important, and they are often organized by countries.
Economic welfare of all regions and decentralized power over/knowledge about infrastructure such as software is important. It is very much not irrelevant whether a project is developed in Europa, China, USA, India or Russia.
I expect authorities to take into account where the majority of the development is happening. They should do that.
EDIT: Replaced the wrong word 'fairwell' with 'welfare'.
Good points.
> Economic fairwell of all regions
You're looking for the word 'welfare' here, by the way.
They're still funding an American company (HackerOne) despite having European platforms (at least two in France for instance)
I'm trying to think of an open source project that is used as widely as VLC, and not backed by Google. Maybe there is, but I can't think of any.
SQLite
ffmpg/libav - even VLC itself uses it.
Cups
Zlib
apache http server
curl
Yeah, mpv.io is where it's at.
so lovely I use it on windows. so lovely
also has lua scripting support https://mpv.io/manual/stable/#lua-scripting
Why?
mpv is dead
Their thriving Git repository says otherwise: https://github.com/mpv-player/mpv
Looks alive to me: https://github.com/mpv-player/mpv/commits/master
eh, no?
what about this rationale:
> The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;
I don't think bug bounty is a substitute for certification. And it benefits the most if is a long-run with accumulating rewards.
making it short term with only one payout will only attract people with automated tools for the initial period. Then code will get "certified" and forgotten. It all seems wrong. Hopefully it is just bad wording on the official PR.
> I don't think bug bounty is a substitute for certification.
Neither does the EU: by extending the free software security audit programme (FOSSA)[...]. Meaning: there already is an audit, certification and audit being synonymous for this purpose.
> making it short term
This is a trial run, to be extended later: we are trialing the VLC application on a bug bounty program
> with only one payout
There will be as many payouts as security-relevant bugs are found: Rewards may range from $100 up to $3,000.
> will only attract people with automated tools
This is a private trial, where people with automated tools submitting low-impact bugs will presumably not be invited: We invite hackers and bounty hunters (aka researchers) based on a variety of factors - reputation, previous track record (high quality reports)
> Then code will get "certified" and forgotten.
This is VLC, one of the most-used open source programs. How will code merged into the product be forgotten?
> It all seems wrong.
Indeed...
> Hopefully it is just bad wording on the official PR.
I think the problem is more likely caused by a complete lack of reading skills.
>> I don't think bug bounty is a substitute for certification.
Nor does certification preclude the need for a BB program. These are very different schemes with very different outcomes.
Shouldn't fixing bugs a prerequisite for being certified?