back to article Want a $200k TIP? ZDI sticks bounties on bugs in big-name server code

A bunch of new bug bounty rewards are up for grabs from the Zero Day Initiative, in a first-come, best-dressed program kicking off on August 1. The Trend Micro-backed operation announced on July 24 what it called the Targeted Incentive Program (TIP). Besides the mention of Microsoft Windows Server 2016, the TIP focuses paying …

  1. Nick Kew

    No hypotheticals

    Good to see a bug bounty that isn't going to attract loads of wannabes to submit contrived nonsense reports in the hope of getting paid.

    But this too could have unintended effects. If someone claims the full monty, who has been pwned? The sysop who perhaps misconfigured the software? Canonical @ubuntu? Upstream packager @debian? Or the software's original dev team? Or all of the above? Lots of scope for uncertainty there, and that's without even mentioning third-party Usual Suspects like PHP in a web server.

    1. GnuTzu

      Re: No hypotheticals

      The patent office once started requiring working models to award a patent, if I remember correctly. Of course, that requirement is gone, and you can pretty much patent any concept. Yeah, there needs to be an incentive to overcome lame, and you have to define what constitutes better than lame. Maybe hypotheticals should have a fractional payoff--if you can justify what counts as a worthy hypothetical. These things are never easy.

      1. Nick Kew

        Re: No hypotheticals

        @GnuTzu - the problem with bug bounties is that they attract a lot of hopeful junk. A rather poor signal-to-noise ratio among the reports. That puts a burden on the developer community. Fair enough for a company paying its developers, but not good in the case of volunteer developers in an open source project.

        This is mitigated if whoever offers the bounty also takes it on themselves to pre-filter submissions and forward only those that look real. But not every hopeful is capable of reading TFM and submitting their "bug" to the right place. And a rejected wannabe might submit directly to us, with the hope that we accept it and they then turn round to the bounty sponsor and say "look, it was real".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like