

The and-httpd server has a $2,000 "security guarantee" - andrewthornton
http://www.and.org/and-httpd/#security-guarantee

======
dpkendal
This sort of thing is not new. I think the first one was qmail:
<http://cr.yp.to/qmail/guarantee.html> followed shortly by djbdns:
<http://cr.yp.to/djbdns/guarantee.html> (which was awarded in 2009:
<http://article.gmane.org/gmane.network.djbdns/13864>)

Dovecot also has a similar guarantee: <http://dovecot.org/security.html>

As does Mozilla: <http://www.mozilla.org/security/bug-bounty.html>

Even Facebook is in on the game: <http://www.facebook.com/whitehat/bounty/>

Bug bountying in general of course started with Donald Knuth:
<http://en.wikipedia.org/wiki/Knuth_reward_check> and has recently become
moderately popular as a strategy for increasing open-source code quality:
[http://www.daemonology.net/blog/2011-09-05-lessons-
learned-f...](http://www.daemonology.net/blog/2011-09-05-lessons-learned-from-
bountying-bugs.html)

~~~
tete
And Chromium: [http://www.chromium.org/Home/chromium-
security/vulnerability...](http://www.chromium.org/Home/chromium-
security/vulnerability-rewards-program)

------
andrewthornton
Here is the latest source for anyone with too much time on their hands:
<http://www.and.org/and-httpd/0.99.11/>

Last update from changelog is 2006-09-10

~~~
naww
Files missing.

------
dkroy
How did this get to the front page when the last update to the source was 6
years ago?

~~~
mitchi
+1

------
duked
I wanted to give it a try, had to look for the source (found it on
sourceforge) tried to ./configure it requires a Vstr from the same website now
need to look for the source ...

It's not like they want you to try it :D

------
josephlord
That isn't a guarantee it's a bounty. A guarantee would pay out to all
affected customers. Affected probably would mean compromised by an attacker.

------
steve19
That page was last modified in 2006. It must have held up well against attacks
or he would be broke by now!

~~~
autotravis
"The $2,000 is only available to the first person who provides a working
attack"

------
dkhenry
I would look to find the last time the code was worked on, but there isn't
even a code repository listed.

------
pandemicsyn
Similar to the bounty Dovecot <http://dovecot.org/security.html> has.

