
Neel Mehta donates Heartbleed bounty to Freedom of the Press Foundation - _pius
https://hackerone.com/reports/6626
======
handsomeransoms
This is a great reminder for others to consider a donation to the Freedom of
the Press foundation's ongoing campaign to fund the development of encryption
tools to benefit journalists, sources, and everyone who communicates
digitally!

[https://pressfreedomfoundation.org/](https://pressfreedomfoundation.org/)

Huge thanks to Neel, whose donation pushed us over the edge to meet our goal!

(Full disclosure: I work for the Freedom of the Press Foundation)

------
gojomo
Nice move!

I was already wondering, though: might Mehta and/or Codenomicon have been put
on the scent of the Heartbleed bug by an inquiry from one of the journalists
with Snowden docs?

I hope we hear more about how each of the researchers found the bug – code
auditing? fuzzing? observing attempted exploits? etc – and in the same general
timeframe.

~~~
DrewHintz
No. Neel found it by auditing code. See CVE-2011-0014 for a previous OpenSSL
bug he found by auditing code. See CVE-2010-0239 to witness his awesome
ability to find bugs by auditing assembly code.

~~~
gojomo
Thanks! Do you know this because you work with him and are relaying his report
of that approach in this particular case, or do you just expect that's the
case from his usual technique and prior cases?

Wouldn't that track record of awesome ability, and his support for the Freedom
of the Press Foundation, also potentially make him a sought-after expert about
mysterious things that a journalist didn't understand in a leaked NSA (or
other) document?

Do you know if the Codenomicon researcher(s) found the issue in the same way?
(Their corporate webpage makes a big deal about their fuzzing tools.)

Do you believe it was just coincidence that both recently found this same
monumental vulnerability? How long would Mehta and/or Codenomicon typically
privately research such a bug, with or without coordination with OpenSSL
maintainers, after first confirmation of danger?

~~~
DrewHintz
You're welcome! I know this because I work on the same team with him. I'm not
familiar with what Codenomicon did and won't publicly speculate.

------
motyar
@neelmehta 's twitter description says "One day you will understand..." We do
now.

Huge thanks to Neel.

------
ronnier
What a bullet point to put on a resume. Congratulations Mr. Mehta.

~~~
tptacek
That's a nice sentiment, but for whatever it's worth: Neel Mehta is one of the
best-known and most well-respected people in vulnerability research.

------
iancarroll
Is Hackerone the thing now for reward programs?

~~~
projuce
It is one option, there is also

[https://bugcrowd.com](https://bugcrowd.com) mainly paid reward programs, can
start using it for a bug bounty/rewards program for free (also maintains the
bug bounty list which is used by many white hat hackers
[https://bugcrowd.com/list-of-bug-bounty-programs/](https://bugcrowd.com/list-
of-bug-bounty-programs/))

[https://crowdcurity.com](https://crowdcurity.com)

------
camus2
Cheers pal! that's a hacker with bleeding heart ! Well done.

------
iamthepieman
Bank account - 15,000

Karma + 1,000,000

------
JohnnyCat
Thank you Mr. Mehta wherever you may be. Thank you for your fantastic audit
skill. You are unknown super-hero working against dark forces.

------
sfall
Would Neel Mehta be ineligible collecting via his employment at Google?

