back to article OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash

An effort to raise $250,000 for an OpenSSL bug-bounty program is underway – and its organisers hope it will help ensure the Heartbleed omnishambles is never repeated. The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who …


This topic is closed for new posts.
  1. Dan 55 Silver badge

    Wouldn't it have been better to crowdfund a full audit for OpenSSL, like TrueCrypt, instead of just offering a bug bounty?

    1. Roland6 Silver badge

      Open Source Funding...

      What seems to have been missed in all this is how open source projects are and should be funded.

      According to this BBC article "Heartbleed fallout may 'slow' browsing speeds" ( ) "Annual donations [to the OpenSSL Software Foundation] typically amounted to about $2,000 (£1,195)"

      So I would agree we need to find a better way of funding the original development and on-going maintenance of open source projects than we have at the present. Funding a 'jackpot' for bug finders without rewarding original development contributions is sending the wrong message, namely the ability to develop good bug free code is of lower value than the ability to break such code.

      1. This post has been deleted by its author

        1. Destroy All Monsters Silver badge

          Re: Open Source Funding...

          There is a better way to fund software development. It's where developers work for real money, and sell their products.

          That's beside the point. That business model exists and it delivers shite, too, though it may manage to created more polished products.

          One could also have megacorpses like Larry's dump a few kilobucks on the provider of the SSL functionality of what turns out to be a fat part of his product lineup, judging by the patch hurl released yesterday,

        2. MacroRodent

          Re: Open Source Funding...

          I don't think it's actually possible to put any lower value than 'free' on the contributions most people make to open source projects.

          Actually, these days the most important open-source projects have paid developers working on them, paid either by corporations that use the code, or by some non-profit. OpenSSL seems to be an exception for high-profile project. This needs to change.

          1. DanDanDan

            Re: Open Source Funding...

            From what I hear, OpenSSL has a small (half a dozen) group of core developers who reject any and all outside contributions in terms of bug fixes, etc.

            They also have a TERRIBLY HORRIBLE code base (think #if 0 everywhere), barely any evidence anything has been refactored and barely readable code, with feck all comments in it.

            Frankly, it needs to be forked and the forked version needs funding from the megacorps who profit from the code. They can all benefit from open source by sharing the development cost and shared benefit.

            1. Not That Andrew

              Re: Open Source Funding...

              What is to prevent your forked OpensSSL from devolving into the sort of mess the OpenSSL project is in?

              1. DanDanDan

                Re: Open Source Funding...

                The same thing that prevented forked OpenOffice (LibreOffice) from devolving... better project management by a better team, with more outside involvement and input. It wouldn't be easy to do (which is why it's not been done yet I suspect).

  2. i like crisps


    It would seem that its everyone for themselves!

    1. Destroy All Monsters Silver badge



  3. Anonymous Coward
    Anonymous Coward

    > 100 per cent of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation

    What is the time frame before the OpenSSL Software Foundation starts to dip their greedy little mitts into the honey pot?

    They should have some of the 800 pound gorillas (G,A,M,O) take over the care taking of the code while keeping it open source. I have more faith in a room full of paid security researchers than a handful of volunteers who look at the code when they have time.

    1. Martin Summers

      Why should you get to use it or have benefit from it with an attitude like that? No bugger else bothered developing it and the small team who did bother get no reward. None of this is really their fault. It's the fault of the millions of people who use it without giving a toss about where it came from so long as it was free.

  4. Destroy All Monsters Silver badge

    ensure the Heartbleed omnishambles is never repeated


    After this message...

  5. smiths121

    Well I gave them a bit

    Hi All,

    Just did my $20 pledge (its US after all). It is suprising just how much of out internal and external infeastrucuture and products we sell are affected by this. It would be nice to see some of the larger organisations that use it back this, rather than take weeks to fix their app/firmware etc - openwrt had a patch by Thursday/Friday, home come it takes the big orgs s o long?

    As the advert implies -> 5 beers = $20, nice, calm, planned work time - priceless.


    1. Not That Andrew

      Re: Well I gave them a bit

      Or you could have donated directly to the OpenSSL project, not some 3rd party via a crowdfunding website.

  6. Anonymous Coward
    Anonymous Coward

    What I want to know ..

    .. is why Google took more than a week to brief the OpenSSL dev team of the vulnerability instead of doing it at the same time as starting work on a fix, or maybe a day later so that they had some detection of basic fix in place in case this news would leak. Isn't that the usual process: brief the originator ASAP so they get a chance to start working on it?

    Google does not strike me as the best place to keep such a secret secret anyway.

    The choice of date must not have helped either, because you'd think that something of that magnitude must be a joke at first.

    NOT impressed, and it's a question that really must be answered - what was Google doing with the knowledge of that vulnerability in the days between the 22nd and the 1st?

    1. Destroy All Monsters Silver badge

      Re: What I want to know ..

      Do transcendental meditation in a GoogleBox cozily embedded in the GoogleSpace, with colored balls in attendance.

  7. NP-Hardass

    Too good to be true...

    According to their website, they take 20% of your bounty. Ouch.

    1. Destroy All Monsters Silver badge

      Re: Too good to be true...

      This IS the age of Quantitative Self-Easing, after all.

    2. Evan Essence

      Re: Too good to be true...

      Ouch indeed, if true, but the Campaign Description says (also quoted in the article):

      100% of the proceeds will be offered to security researchers. Any leftover funds will be passed on to the OpenSSL Software Foundation. Bugcrowd will administer the bounty at it's [sic] own expense.

  8. foo_bar_baz



    "The OpenSSL development team was alerted by Google on 1 April, and separately a Finnish infosec biz discovered the same bug, but would not say if they tipped anyone off about the coding error."

    This article says they alerted the local CERT, who in turn notified OpenSSL a few days after Mehta. There's even a timeline about how the news broke.

    1. DropBear

      Re: Disclosure

      So how the hell does one "independently" discover a bug that stayed undiscovered for two years within days of other people discovering it?!? I sense someone with an exceedingly poor grasp of what causation means...

      1. foo_bar_baz

        Re: Disclosure

        That coincidence has my bat-sense tingling as well. I'm not sure what you're implying with your last sentence, though.

  9. asdf

    damn you El Reg

    El Reg putting basically a thumbnail of a girl filling out a sweater which causes a click and the inevitable disappointment.

  10. Anonymous Coward
    Anonymous Coward

    Cash is helpful

    But the amount of cash matters. To be effective, it probably has to be substantially bigger than the amount of cash the NSA can pay to find bugs in openSSL. That might be quite a big number.

This topic is closed for new posts.

Other stories you might like