Wishlist Suggestion: Crowd-sourced security testing

Help on building IPFire & Feature Requests
Post Reply
dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Wishlist Suggestion: Crowd-sourced security testing

Post by dnl » October 6th, 2015, 9:31 am

In the old days a responsible hacker (or "cracker" if you prefer that term) who was kind enough to inform a large company of a security bug might be sent a T-shirt. In recent years crowd-sourced security testing has grown dramatically and, from what I've read over the past year, crowd-sourced security testing is really good value.

IPFire is a small project and probably not getting much (if any) attention from ethical hackers. I'd like to suggest that you consider a wishlist item to raise funds for a round of crowd-sourced security testing.

IPFire uses a lot of Open Source software, some of which may have been tested but this doesn't mean that the particular way packages are is compiled, configured and bundled is secure in IPFire (despite the best-effort of our selfless developers).
  • Having a security test done (and vulnerabilities fixed) will raise the profile of IPFire. Aside from OwnCloud for example (a project which seems very well funded) I'm not aware of an independent open-source project that has a bug bounty program.
  • If testing does uncover an upstream bug, then getting that fixed will benefit IPFire and the wider open-source community - a win-win situation.
From what I understand a lot of money need not be offered, especially as IPFire is probably a desirable distribution for new hackers to earn kudos (reputation) . If this wishlist suggestion is taken up we could investigate further.

My unresearched guess US$100 for a major exploit would be generous for software like this which will be relatively easy to test. A medium could be $50 and $25 for a low. We need only to raise enough for one round of testing, say US$1250? The round can last as long as there's money left to be paid out.

I'd suggest the bounty would only be against IPFire itself and a small set of frequently-used add-ons. (There are a few stale add-ons offered by Pakfire, which shouldn't be tested before they are updated the latest version "upstream".)


Crowd-sourced security testing providers
I've heard good things about BugCrowd, but their competitor Hacker1 should also be investigated.

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by dnl » October 6th, 2015, 9:34 am

PS: If the idea works well, Fountain Networks and Lighting Wire Labs might consider offering their hardware for testing with IPFire installed. They could choose to give hardware away to hackers who have already proven themselves (either from testing other products or from finding vulnerabilities in IPFire).
This could help find more vulnerabilities in IPFire and any weaknesses in the hardware itself (drivers I'd guess). It could encourage the hackers to become a part of the IPFire community.

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by bloater99 » October 7th, 2015, 3:06 pm

I like this suggestion. Did you send to wishlist@ipfire.org?
Image

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by dnl » October 9th, 2015, 9:22 am

bloater99 wrote:I like this suggestion. Did you send to wishlist@ipfire.org?
No, but I guess I should. Thanks!

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by dnl » October 30th, 2015, 9:22 am

Sadly my email had no response. I guess they were busy with the conference?

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by bloater99 » October 30th, 2015, 2:31 pm

dnl wrote:Sadly my email had no response. I guess they were busy with the conference?
I don't know that they respond to wishlist emails. I've sent a few myself over the last year or so and never gotten a response. I'm not sure how the wishlist is supposed to work, though. Maybe that is normal. But it would be nice to know if your wishlist suggestion is even under consideration.
Image

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Wishlist Suggestion: Crowd-sourced security testing

Post by dnl » November 1st, 2015, 10:01 am

ummeegge wrote:at a first, thanks dnl for your hard work to start with a guide like this i think it is a very good idea.
Thanks ummeegge!

I assume your reply was for this thread viewtopic.php?f=27&t=15151&p=91533#p91533 so I'll respond there, if that's OK?

Post Reply