Hacker News new | past | comments | ask | show | jobs | submit login

Seems like it would quite easy to game the system. Make contributions with known vulnerabilities and then submit an anonymous bug report when the contribution is approved.



I think the community would keep this to a minimum just through normal peer pressure and shaming.


And most open source projects run a fairly transparent dev process - almost by necessity. Doing something like that as an individual dev might be possible, but hard and likely impossible to do structurally (no guarantee to get it in, no guarantee for the project to be picked next year(s), no guarantee for nobody else to find it first, and upon discovery, risk that your scam becomes apparent).

But as a team, the only way to really pull this off involves inserting such vulnerabilities intentionally and out of sight, which means a closed dev process. Even if you orchestrate via some other medium - assuming you're using a VCS, the vulnerability will be publicly traceable to a core contributor - and if you do that regularly, you'll at the become known as a project that's a security nightmare; that might kill the project in the long run. And you might even raise suspicions purely base on the frequency and nature of vulnerabilities.

All in all: abusing this sounds like a fairly risky fraud.


Lots of fraud is risky. And often very worth it if you are very poor and live in a country where laws against fraud aren't enforced. I think the potential for abuse deserves a closer look.


In order for that to happen, someone has to get caught. I think this opportunity for abuse deserves some more careful thought about how to prevent it.


People have thought about how to prevent it -- it's not a new issue.


In that case could you provide a source or two for those of us who want to get up to date with the current thinking?


Here's one example, you can find many more with a little googling: https://stackoverflow.com/a/39708317/1370917

If you look at the question, you can see that some people don't make the connection that the motivation behind code signing is figuring out who committed suspicious code. Code that has security bugs is one interest, another is code which the committer didn't have permission to commit, for example proprietary code.


Thanks for the link. So I submit some code that is signed and it's a good contribution that closes an issue. I intentionally include a subtle bug. My friend who lives in a different country uses the bug bounty program to fix the bug and he collects the money. How do you detect that scenario with code signing?


Easier is to join a company which pays for development.


If you live in a developed country.


Follow up: This situation is similar to when England wanted Delhi to be rid of cobras so they started offering rewards for dead cobras. The citizens of Delhi responded to this incentive by farming cobras.

What's the difference? It's a systemic flaw.

If there exists an incentive for finding vulnerabilities, there exists an incentive for introducing vulnerabilities. Bug bounties work great for closed source companies because there doesn't exist a misalignment of incentives. If Johnny keeps writing buggy code, he gets fired. If anonymous234 gets his buggy pull request approved, confederate anonymous456 gets to make a few bucks.

Follow up #2: For the skeptical downvoters, I'll put my money where my mouth is and attempt to capture the bounties using the method described above.


> Follow up #2: For the skeptical downvoters, I'll put my money where my mouth is and attempt to capture the bounties using the method described above.

Please don't.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: