staff
posted this
Time ago

Waterfall Bug Bounty Programme

While I work on fixing the minor bugs that have been reported, my mind started to wander. While there's been no showstopping issues reported yet, there's almost certainly a few lurking in the code, waiting to be found. So I thought - why not run a bounty?

What's a bug bounty programme?

Wikipedia can do a better job of explaining, but in short, a bug bounty is an official programme where people who find serious bugs (in this case, security ones) can be rewarded.

Why is Waterfall running one?

There hasn't been one reported yet, but somewhere in the code, there's going to be a serious bug that could have serious consequences. Waterfall is a solo project that's basically for fun and, while I'm not terrible at security by myself, it also means there's nobody to really review my code and find anything glaringly obvious. This means that occasionally, something serious might sneak by, and having that in public with a "here's basically the instructions to ruin everyone's day" attached in the form of a normal bug report is a bad idea. This is where the programme comes in.

How does it work?

Here's the page going into more detail.

In short, if you find a serious bug with security implications, you email it to the address on that page, giving me as much info as you can. It's STRONGLY advised you use a sideblog or side account for this, but specific considerations are outlined on the page, including how to get dev environment access for anything that might be particularly destructive.

It should be noted this bounty is for serious bugs only, mainly affecting security or privacy. Other bugs should still be reported through the GitHub linked in the site footer.

So what are the rewards?

Trivial bugs already get badges rewarded, and the bounty programme is no exception - you'll get the standard ones plus a special VRP badge. In addition, for stuff that's impactful, there are cash rewards on a sliding scale of severity. It's worth noting here - while most companies offer a bit more than this in their BBPs, Waterfall is a solo project, so it's limited by what one guy could realistically afford. Better than nothing though, right?

You can take the cash yourself, or choose to donate it to charity.

With any luck, nothing major will ever be reported - but the chances of that are slim, and it'd be utterly hubristic to think there's no flaws in my code that could be dangerous, and people who help defend against that definitely deserve to be rewarded.


Notes
3ye-kand1 liked this post
demoncat13 liked this post
fedorasaurus liked this post
1f44c9 liked this post
nap liked this post
pikamusume liked this post
ak-illustrate liked this post
exulnek liked this post
beefox liked this post
mantis-core liked this post
moonfallunmasked liked this post
defsiarte liked this post
evieebun125 liked this post
sometechytransbian liked this post
kvistwig liked this post
strong88 liked this post
corgian liked this post
lina reblogged this post
lina liked this post
staff posted this