
The European Parliament has approved budget for VLC bug bounty program - D3_4dl1N3
https://hackerone.com/vlc
======
barrkel
Is anyone else concerned at the perverse incentives created by bug bounties on
open source software?

Monetizing bugs may end up encouraging the creation of insidious, underhanded
bugs explicitly so that bounties can later be claimed by other parties
supposedly at arms length.

~~~
dvt
This seems a bit paranoid. It's not like OSS doesn't have code review
processes.

~~~
barrkel
It pays to be paranoid. I believe I'd be able to add exploitable bugs that
would not be detected in most code reviews; there's a large library of
techniques available from underhanded C competitions and similar.

~~~
a3_nm
If malicious people can add exploitable bugs and claim a bug bounty later,
then they can also add exploitable bugs to actually exploit them. So I'd say
that bug bounties also work here: they create an incentive to review the code
of open-source projects more closely.

~~~
dvt
After a look at some of the bugs linked at
[http://www.underhanded-c.org/_page_id_2.html](http://www.underhanded-c.org/_page_id_2.html),
they are _very_ niche and difficult to exploit in any meaningful way. Not only
that, but even a mediocre test suite would find something fishy with most.

------
chasil
It would be nice if they also approved one for Android Stagefright.

All monthly Android security bulletins from this year have critical CVEs in
the media system.

[https://source.android.com/security/bulletin/](https://source.android.com/security/bulletin/)

~~~
icebraining
I think Google can afford to pay for that.

------
heavenlyblue
Why VLC?

~~~
matt4077
I'm trying to think of an open source project that is used as widely as VLC,
and not backed by Google. Maybe there is, but I can't think of any.

~~~
Manozco
SQLite

------
gcbw2
what about this rationale:

> The purpose of the procedure is to provide the European institutions with
> open source software projects or libraries that have been properly screened
> for potential vulnerabilities;

I don't think bug bounty is a substitute for certification. And it benefits
the most if is a long-run with accumulating rewards.

making it short term with only one payout will only attract people with
automated tools for the initial period. Then code will get "certified" and
forgotten. It all seems wrong. Hopefully it is just bad wording on the
official PR.

~~~
matt4077
> I don't think bug bounty is a substitute for certification.

Neither does the EU: _by extending the free software security audit programme
(FOSSA)[...]_. Meaning: there already is an audit, certification and audit
being synonymous for this purpose.

> making it short term

This is a trial run, to be extended later: _we are trialing the VLC
application on a bug bounty program_

> with only one payout

There will be as many payouts as security-relevant bugs are found: _Rewards
may range from $100 up to $3,000._

> will only attract people with automated tools

This is a private trial, where people with automated tools submitting low-
impact bugs will presumably not be invited: _We invite hackers and bounty
hunters (aka researchers) based on a variety of factors - reputation, previous
track record (high quality reports)_

> Then code will get "certified" and forgotten.

This is VLC, one of the most-used open source programs. How will code merged
into the product be forgotten?

> It all seems wrong.

Indeed...

> Hopefully it is just bad wording on the official PR.

I think the problem is more likely caused by a complete lack of reading
skills.

