> On 7/08/2020, at 8:04 AM, Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote: > > The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares. I’ve run a bounty program that got exactly that, all from individuals using automated tools. We paid in the region of $20 - $50 and after about 20 or so they dried up as all the basic things an automated scanner can find had been addressed. There was no indication of anyone doing more sophisticated testing. I was quite happy with it as a way of pushing us to take an "outside looking in" view and it was cheap and easy to administer but it basically just found the small issues we introduced ourselves in-between regular commissioned pen tests, which in my view are the one thing nobody can do without (for opsec that is). Jay > Maybe people will find unauthenticated access to the datatracker site and be able to do things there. Depends on what you think the risk is. > > The OpenSSL website is not worth people hacking. (“Yes, thanks, being able to view the site with SSLv3 is deliberate.”) Finding CVE bugs in the OpenSSL source was worth it, but OpenSSL never had a bug bounty program. Researchers are quite good about responsible disclosure. > > Akamai does not have a bug bounty program. We also seem to be quite good about getting responsible disclosures; this week’s BlackHat presentation (https://blogs.akamai.com/2020/08/black-hat-presentation---web-cache-entanglement.html is our take on it) is an example. In the past I’ve given Tshirts to a couple of folks. -- Jay Daley IETF Executive Director jay@xxxxxxxx
